# =============================================================================
# PayForMyGasOrKissMyAss.com — .htaccess
# cPanel PHP 8.3 | Production Best Practices
# =============================================================================

# -----------------------------------------------------------------------------
# 1. REWRITE ENGINE
# -----------------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Force HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Force www (uncomment if preferred)
    # RewriteCond %{HTTP_HOST} !^www\. [NC]
    # RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Remove trailing slashes (except directories)
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /$1 [L,R=301]

    # Remove .html extension from URLs
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}.html -f
    RewriteRule ^([^\.]+)$ $1.html [NC,L]

    # Block access to JSON signature data
    RewriteRule ^signatures\.json$ - [F,L]
    RewriteRule ^rate_limits\.json$ - [F,L]

    # Block access to PHP source in certain conditions
    RewriteCond %{THE_REQUEST} \s/sign\.php\s [NC]
    RewriteRule ^ - [F,L]
</IfModule>

# -----------------------------------------------------------------------------
# 2. SECURITY HEADERS
# -----------------------------------------------------------------------------
<IfModule mod_headers.c>
    # Content Security Policy — allow Tailwind CDN, Font Awesome, Google Fonts
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' https://picsum.photos data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"

    # Prevent MIME type sniffing
    Header set X-Content-Type-Options "nosniff"

    # Clickjacking protection (backup for frame-ancestors)
    Header set X-Frame-Options "SAMEORIGIN"

    # XSS Protection (legacy browsers)
    Header set X-XSS-Protection "1; mode=block"

    # Referrer Policy — send origin only on cross-origin
    Header set Referrer-Policy "strict-origin-when-cross-origin"

    # Permissions Policy — disable unnecessary browser features
    Header set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"

    # Strict Transport Security — 1 year, include subdomains
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # Cross-Origin policies
    Header set Cross-Origin-Opener-Policy "same-origin"
    Header set Cross-Origin-Resource-Policy "same-origin"
    Header set Cross-Origin-Embedder-Policy "require-corp"

    # Cache Control for HTML (no-cache for dynamic content)
    <FilesMatch "\.(html|htm)$">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
        Header set Pragma "no-cache"
        Header set Expires 0
    </FilesMatch>

    # Cache Control for static assets (1 year)
    <FilesMatch "\.(css|js|png|jpg|jpeg|gif|webp|svg|ico|woff|woff2|ttf|eot)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>

    # Cache Control for PHP API responses (no-cache)
    <FilesMatch "\.(php)$">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
        Header set Pragma "no-cache"
    </FilesMatch>

    # Remove server signature
    Header unset Server
    Header unset X-Powered-By
</IfModule>

# -----------------------------------------------------------------------------
# 3. COMPRESSION
# -----------------------------------------------------------------------------
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/atom+xml
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE application/font-woff
    AddOutputFilterByType DEFLATE application/font-woff2
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject

    # Remove browser bugs for older browsers
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
</IfModule>

# -----------------------------------------------------------------------------
# 4. EXPIRES / CACHE HEADERS (fallback if mod_headers unavailable)
# -----------------------------------------------------------------------------
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 1 month"

    # HTML — no cache
    ExpiresByType text/html "access plus 0 seconds"

    # CSS & JS — 1 year
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType text/javascript "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"

    # Images — 1 year
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"

    # Fonts — 1 year
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"

    # Data formats
    ExpiresByType application/json "access plus 0 seconds"
    ExpiresByType application/xml "access plus 0 seconds"
</IfModule>

# -----------------------------------------------------------------------------
# 5. FILE PROTECTION
# -----------------------------------------------------------------------------
# Block directory listing
Options -Indexes

# Block access to hidden files (.env, .git, .htpasswd, etc.)
<FilesMatch "^\.">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Block access to specific sensitive files
<FilesMatch "(\.env|\.git|\.gitignore|\.htpasswd|\.htaccess|composer\.json|composer\.lock|package\.json|package-lock\.json|\.log|\.bak|\.sql|\.tar\.gz|\.zip)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Protect signatures.json and database from direct access
<FilesMatch "(signatures\.json|rate_limits\.json|sign\.db|sign\.db-wal|sign\.db-shm)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Block access to admin/migration scripts
<FilesMatch "(migrate-to-sqlite|backup-petition|generate-cities)\.(php|sh)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# -----------------------------------------------------------------------------
# 6. MIME TYPES
# -----------------------------------------------------------------------------
<IfModule mod_mime.c>
    # Web fonts
    AddType font/woff2 .woff2
    AddType font/woff .woff
    AddType font/ttf .ttf
    AddType font/otf .otf
    AddType application/vnd.ms-fontobject .eot

    # Web manifest
    AddType application/manifest+json .webmanifest

    # SVG
    AddType image/svg+xml .svg .svgz

    # WebP
    AddType image/webp .webp

    # JSON
    AddType application/json .json

    # XML
    AddType application/xml .xml

    # ICO
    AddType image/x-icon .ico
</IfModule>

# -----------------------------------------------------------------------------
# 7. CHARACTER ENCODING
# -----------------------------------------------------------------------------
<IfModule mod_mime.c>
    AddDefaultCharset UTF-8
    AddCharset UTF-8 .html .htm .css .js .json .xml .txt
</IfModule>

# -----------------------------------------------------------------------------
# 8. CUSTOM ERROR PAGES
# -----------------------------------------------------------------------------
ErrorDocument 400 /404.html
ErrorDocument 401 /404.html
ErrorDocument 403 /404.html
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html

# -----------------------------------------------------------------------------
# 9. PHP SETTINGS (cPanel PHP 8.3)
# -----------------------------------------------------------------------------
<IfModule mod_php.c>
    php_value upload_max_filesize 2M
    php_value post_max_size 2M
    php_value max_execution_time 10
    php_value max_input_time 10
    php_value memory_limit 32M
    php_flag display_errors Off
    php_flag expose_php Off
    php_value date.timezone America/New_York
    php_flag session.cookie_httponly On
    php_flag session.cookie_secure On
    php_flag session.use_strict_mode On
</IfModule>

# PHP-FPM: cPanel handles PHP routing automatically.
# Do NOT set SetHandler here — it conflicts with PHP-FPM.
# If PHP files return 500, ensure this block is absent.

# -----------------------------------------------------------------------------
# 10. HOTLINK PROTECTION
# -----------------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^https://(www\.)?payformygassormykissmyass\.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|webp|svg)$ - [F,NC,L]
</IfModule>

# -----------------------------------------------------------------------------
# 11. BLOCK BAD BOTS & SCRAPERS
# -----------------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_USER_AGENT} (ahrefs|semrush|mj12bot|dotbot|blexbot|bytespider|gptbot|ccbot|chatgpt-user|google-extended) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# -----------------------------------------------------------------------------
# 12. PREVENT PHP EXECUTION IN UPLOAD DIRECTORIES (if any exist in future)
# -----------------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_URI} !^/index\.html$
    RewriteCond %{REQUEST_URI} !^/sign\.php$
    RewriteCond %{REQUEST_URI} !^/count\.php$
    RewriteCond %{REQUEST_URI} !^/\.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^([^\.]+)$ /index.html [L]
</IfModule>
