# =====================================================================
# NovelSphere — Apache .htaccess for shared hosting (cPanel-friendly)
# Place this in the document root (e.g. public_html/.htaccess)
# =====================================================================

Options -Indexes -MultiViews
Options +FollowSymLinks

<IfModule mod_rewrite.c>
    RewriteEngine On

    # If app is in a subfolder, set RewriteBase accordingly
    # RewriteBase /

    # Force HTTPS (uncomment when SSL is active)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Route everything to index.php except real files/dirs
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !^/(assets|uploads|editor|captchas)/
    RewriteRule ^ index.php [QSA,L]

    # Redirect /index.php/anything to /anything (cleaner URLs)
    RewriteCond %{THE_REQUEST} ^GET.*index\.php [NC]
    RewriteRule (.*?)index\.php/*(.*) /$1$2 [R=301,L]
</IfModule>

# ---------------------------------------------------------------------
# Security hardening
# ---------------------------------------------------------------------

# Block hidden files (.git, .env, .htaccess itself)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Protect config & .env explicitly
<FilesMatch "^(composer\.(json|lock)|\.env|\.env\.example|schema\.sql|README|INSTALL|CHANGELOG)">
    Require all denied
</FilesMatch>

# Disable directory listing fallback
DirectoryIndex index.php index.html

# Disable server signature
ServerSignature Off

# Security headers (when mod_headers available)
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    # CSP: allow admin editor (TinyMCE), inline styles for reader theme injection, and self
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; media-src 'self'; frame-src 'self' https://www.youtube.com https://www.google.com; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'"
</IfModule>

# ---------------------------------------------------------------------
# Compression (when mod_deflate available)
# ---------------------------------------------------------------------
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/json
    AddOutputFilterByType DEFLATE application/xml application/rss+xml image/svg+xml
</IfModule>

# ---------------------------------------------------------------------
# Browser cache for static assets
# ---------------------------------------------------------------------
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType image/jpeg "access plus 30 days"
    ExpiresByType image/png "access plus 30 days"
    ExpiresByType image/gif "access plus 30 days"
    ExpiresByType image/webp "access plus 30 days"
    ExpiresByType image/svg+xml "access plus 30 days"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
</IfModule>

# Block PHP execution in uploads directory
<IfModule mod_rewrite.c>
    RewriteRule ^uploads/.*\.(php|phtml|php3|php4|php5|php7|phps|cgi|pl)$ - [F,L,NC]
</IfModule>

# Limit request body size (defence against huge uploads)
<IfModule mod_php.c>
    php_value upload_max_filesize 8M
    php_value post_max_size 12M
    php_value memory_limit 128M
    php_value max_execution_time 60
    php_value max_input_vars 5000
</IfModule>

<IfModule mod_php7.c>
    php_value upload_max_filesize 8M
    php_value post_max_size 12M
    php_value memory_limit 128M
    php_value max_execution_time 60
    php_value max_input_vars 5000
</IfModule>

<IfModule mod_php8.c>
    php_value upload_max_filesize 8M
    php_value post_max_size 12M
    php_value memory_limit 128M
    php_value max_execution_time 60
    php_value max_input_vars 5000
</IfModule>

# Custom error pages
ErrorDocument 404 /index.php?r=error/404
ErrorDocument 403 /index.php?r=error/403
ErrorDocument 500 /index.php?r=error/500
ErrorDocument 503 /index.php?r=error/maintenance
