# Galappxy API - Apache Configuration
# VERSION 2.0 - Con soporte para httpOnly cookies

# Enable Rewrite Engine
RewriteEngine On

# Disable directory listing
Options -Indexes +FollowSymLinks

# Route requests to appropriate index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^v1/auth/(.+)$ v1/auth/$1/index.php [QSA,L]

# Security Headers
<IfModule mod_headers.c>
    # XSS Protection
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # ⭐ CORS para cookies httpOnly
    # IMPORTANTE: No usar "Access-Control-Allow-Origin: *" cuando se usa credentials
    # El origen específico se maneja en commons.php según CORS_ALLOWED_ORIGINS
    
    # Para debugging local, puedes descomentar:
    # SetEnvIf Origin "^http(s)?://localhost(:[0-9]+)?$" ORIGIN_ALLOWED=$0
    # SetEnvIf Origin "^http(s)?://(.+\.)?galappxy\.com$" ORIGIN_ALLOWED=$0
    # Header set Access-Control-Allow-Origin "%{ORIGIN_ALLOWED}e" env=ORIGIN_ALLOWED
    # Header set Access-Control-Allow-Credentials "true" env=ORIGIN_ALLOWED
</IfModule>

# Hide sensitive files
<FilesMatch "^\.env|^\.git|composer\.(json|lock)|README\.md|\.sql$">
    Require all denied
</FilesMatch>

# PHP Settings
<IfModule mod_php.c>
    php_value upload_max_filesize 20M
    php_value post_max_size 20M
    php_value max_execution_time 60
    php_value max_input_time 60
    php_flag display_errors Off
    php_flag log_errors On
</IfModule>

# Security: Prevent access to backup files
<FilesMatch "\.(bak|backup|old|tmp|~)$">
    Require all denied
</FilesMatch>
