# Apache .htaccess Security Configuration
# Place this in your website root directory

# Block bots from accessing sensitive areas
RewriteEngine On

# Block known malicious bot user agents from management pages
# Only block if BOTH conditions are true: suspicious bot AND sensitive endpoint
RewriteCond %{HTTP_USER_AGENT} (masscan|scrapy|nikto|sqlmap|nmap|metasploit) [NC]
RewriteCond %{REQUEST_URI} (admin|api|reports|inventory|sales|customers|suppliers|expenses)\/.*\.(php|sql|txt|log)$ [NC]
RewriteRule .* - [F,L]

# Block suspicious query parameters only for known malicious bots
RewriteCond %{QUERY_STRING} (union.*select|concat.*\(|base64_decode) [NC]
RewriteCond %{HTTP_USER_AGENT} (bot|crawler|spider) [NC]
RewriteRule .* - [F,L]

# Security headers
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    
    # Prevent MIME type sniffing
    Header set X-Content-Type-Options nosniff
    
    # Enable XSS protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Referrer policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Content Security Policy (permissive for development)
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https:; font-src 'self' https://cdnjs.cloudflare.com https: data:; img-src 'self' https: data:; connect-src 'self' https://cdn.jsdelivr.net;"
</IfModule>

# Block access to sensitive files
<FilesMatch "\.(log|sql|txt|json|env|config)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block access to vendor directory
<Directory "vendor">
    Order Allow,Deny
    Deny from all
</Directory>

# Rate limiting (if mod_evasive is available)
<IfModule mod_evasive24.c>
    DOSHashTableSize    2048
    DOSPageCount        10
    DOSSiteCount        70
    DOSPageInterval     2
    DOSSiteInterval     2
    DOSBlockingPeriod   600
</IfModule>

# Custom error pages
ErrorDocument 404 /malshanlast/debug_404.php
ErrorDocument 403 /malshanlast/debug_404.php

# Enable Gzip compression for faster loading
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json application/xml
</IfModule>

# Enable browser caching for static resources
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
</IfModule>

# Hide Apache version
ServerTokens Prod
ServerSignature Off