# ============================================================
#  Diamond Vault – Free Edition
#  Apache Security Rules
# ============================================================

# --- Force HTTPS (optional, uncomment if SSL is available) --
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# --- Block direct access to sensitive files -----------------
<FilesMatch "^\.env$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^\.env\..*$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^database\.sql$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^seed\.php$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^install\.php$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^composer\.(json|lock)$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^package(-lock)?\.json$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "\.md$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "\.(log|bak|sql|sh|bat|ini|cfg|conf|dist)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# --- Block access to hidden files and directories -----------
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule (^|/)\.(?!well-known) - [F,L]
</IfModule>

# --- Block access to includes/ config/ directories ---------
<IfModule mod_rewrite.c>
    RewriteRule ^includes/ - [F,L]
    RewriteRule ^config/ - [F,L]
    RewriteRule ^vendor/ - [F,L]
</IfModule>

# --- Disable directory listing ------------------------------
Options -Indexes

# --- Security headers ---------------------------------------
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; object-src 'none';"

    # Hide server version information
    Header always unset Server
    Header always unset X-Powered-By
</IfModule>

# --- PHP settings -------------------------------------------
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value session.cookie_httponly 1
    php_value session.cookie_samesite Lax
</IfModule>
