# =====================================================
   Ngadimin Panel - .htaccess Configuration
   Security and Performance Optimization
   =====================================================

# Enable compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# Set cache control headers
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/ico "access plus 1 month"
    ExpiresByType image/icon "access plus 1 month"
    ExpiresByType text/html "access plus 1 hour"
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; font-src 'self' https://cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self'"
</IfModule>

# Hide server signature
ServerSignature Off

# Prevent directory listing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "^(config|database|\.env|\.htaccess)">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect logs directory
<IfModule mod_authz_core.c>
    <Directory "logs">
        Require all denied
    </Directory>
</IfModule>

# PHP settings (if allowed)
<IfModule mod_php7.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log logs/error.log
    php_value max_execution_time 30
    php_value memory_limit 128M
    php_value upload_max_filesize 2M
    php_value post_max_size 8M
</IfModule>

<IfModule mod_php8.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log logs/error.log
    php_value max_execution_time 30
    php_value memory_limit 128M
    php_value upload_max_filesize 2M
    php_value post_max_size 8M
</IfModule>

# Force HTTPS (uncomment if you have SSL certificate)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Custom error pages
ErrorDocument 404 /index.html
ErrorDocument 403 /index.html
ErrorDocument 500 /index.html

# URL rewriting for clean URLs (optional)
# RewriteEngine On
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule ^(.*)$ index.php [QSA,L]

# Set default charset
AddDefaultCharset UTF-8

# File upload limit
LimitRequestBody 2097152

# Protect against common attacks
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Block suspicious user agents
    RewriteCond %{HTTP_USER_AGENT} ^-?$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^$ [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (bot|crawl|spider|scraper) [NC]
    RewriteRule .* - [F,L]
    
    # Block suspicious request methods
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|CONNECT) [NC]
    RewriteRule .* - [F,L]
    
    # Prevent access to sensitive files
    RewriteRule ^(logs/|\.env|config\.php) - [F,L]
</IfModule>

# MIME types
<IfModule mod_mime.c>
    AddType application/javascript .js
    AddType text/css .css
    AddType image/svg+xml .svg
    AddType image/x-icon .ico
    AddType application/json .json
</IfModule>

# Gzip compression (alternative method)
<IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE application/atom+xml \
        application/javascript \
        application/json \
        application/rss+xml \
        application/vnd.ms-fontobject \
        application/x-font-ttf \
        application/x-web-app-manifest+json \
        application/xhtml+xml \
        application/xml \
        font/opentype \
        image/svg+xml \
        image/x-icon \
        text/css \
        text/html \
        text/plain \
        text/x-component \
        text/x-cross-domain-policy \
        text/x-js
</IfModule>