# =============================================================================
#  RESTO SAAS — Apache .htaccess  (clean routing, no .php extensions)
#  Drop-in for cPanel / shared hosting. Requires mod_rewrite + mod_headers.
# =============================================================================

# Use PHP 8 if the host exposes a handler (cPanel MultiPHP). Adjust if needed.
# AddHandler application/x-httpd-php84 .php

Options -Indexes -MultiViews
DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On
    # RewriteBase /            # uncomment & set if app lives in a subfolder

    # ---- Force HTTPS (uncomment in production) ----------------------------
    # RewriteCond %{HTTPS} off
    # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # ---- Block direct access to sensitive folders -------------------------
    RewriteRule ^(database|app|includes|config|vendor|storage)(/.*)?$ - [F,L]

    # ---- Redirect *.php URLs to clean version (301) -----------------------
    # e.g. /menu.php  ->  /menu
    RewriteCond %{THE_REQUEST} \s/+(.+?)\.php[\s?] [NC]
    RewriteRule ^ /%1 [R=301,L,NE]

    # ---- Serve existing files/directories as-is ---------------------------
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # ---- Map clean URL to its .php file if it exists ----------------------
    # e.g. /menu  ->  /menu.php
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule ^(.+?)/?$ $1.php [L]

    # ---- Front-controller fallback: everything else -> index.php ----------
    # Lets index.php handle dynamic routes like /r/saffron-smoke/menu
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]
</IfModule>

# ---- Security headers --------------------------------------------------------
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Permissions-Policy "geolocation=(self), microphone=()"
    # Allow required CDNs (Tailwind/Bootstrap, FontAwesome, GSAP/AOS, Chart.js)
    # Tighten this list to your exact CDNs before going live.
    # Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:; connect-src 'self';"
</IfModule>

# ---- Protect hidden & sensitive files ---------------------------------------
<FilesMatch "(^\.|\.(sql|md|json|lock|ini|log|sh|bak|env)$)">
    Require all denied
</FilesMatch>

# Explicitly protect config & env
<Files "config.php">
    Require all denied
</Files>
<Files ".env">
    Require all denied
</Files>

# ---- Custom error pages ------------------------------------------------------
ErrorDocument 403 /403
ErrorDocument 404 /404
ErrorDocument 500 /500

# ---- Compression + caching (performance) ------------------------------------
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
</IfModule>
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png  "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css   "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
</IfModule>
