Options -Indexes
ServerSignature Off

# ──────────────────────────────────────────────────────────────
# Security: Block sensitive directories entirely
# ──────────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Block .env file
    RewriteRule ^\.env$ - [F,L]
    RewriteRule ^\.env\.example$ - [F,L]

    # Block sensitive backend folders
    RewriteRule ^config/.*$ - [F,L]
    RewriteRule ^includes/.*$ - [F,L]
    RewriteRule ^storage/.*$ - [F,L]
    RewriteRule ^database/.*$ - [F,L]

    # Serve existing real files or directories directly (assets, etc.)
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # ── Admin routes (no /public/ prefix) ──
    RewriteRule ^admin/?$ /admin/index.php [L,QSA]

    # ── API routes ──
    RewriteRule ^api/(.*)$ /api/$1 [L,QSA]

    # ── Public clean URLs ──
    RewriteRule ^about/?$              /public/about/index.php    [L,QSA]
    RewriteRule ^about/team/?$         /public/about/team.php     [L,QSA]
    RewriteRule ^about/clients/?$      /public/about/clients.php  [L,QSA]
    RewriteRule ^about/careers/?$      /public/about/careers.php  [L,QSA]

    RewriteRule ^services/?$           /public/services/index.php      [L,QSA]
    RewriteRule ^services/it/?$        /public/services/it.php         [L,QSA]
    RewriteRule ^services/real-estate/?$ /public/services/real-estate.php [L,QSA]
    RewriteRule ^services/travel/?$    /public/services/travel.php     [L,QSA]

    RewriteRule ^works/?$              /public/works/index.php    [L,QSA]
    RewriteRule ^works/([a-z0-9-]+)/?$ /public/works/detail.php?slug=$1 [L,QSA]

    RewriteRule ^blog/?$               /public/blog/index.php     [L,QSA]
    RewriteRule ^blog/([a-z0-9-]+)/?$  /public/blog/detail.php?slug=$1 [L,QSA]

    RewriteRule ^shop/?$               /public/shop/index.php     [L,QSA]
    RewriteRule ^shop/cart/?$          /public/shop/cart.php      [L,QSA]
    RewriteRule ^shop/checkout/?$      /public/shop/checkout.php  [L,QSA]
    RewriteRule ^shop/([a-z0-9-]+)/?$  /public/shop/product.php?slug=$1 [L,QSA]

    RewriteRule ^properties/?$         /public/properties/index.php [L,QSA]
    RewriteRule ^properties/([a-z0-9-]+)/?$ /public/properties/detail.php?slug=$1 [L,QSA]

    RewriteRule ^tours/?$              /public/tours/index.php    [L,QSA]
    RewriteRule ^tours/([a-z0-9-]+)/?$ /public/tours/detail.php?slug=$1 [L,QSA]

    RewriteRule ^account/?$            /public/account/index.php  [L,QSA]
    RewriteRule ^account/orders/?$     /public/account/orders.php [L,QSA]
    RewriteRule ^account/wishlist/?$   /public/account/wishlist.php [L,QSA]
    RewriteRule ^account/profile/?$    /public/account/profile.php [L,QSA]

    RewriteRule ^login/?$              /public/login.php          [L,QSA]
    RewriteRule ^register/?$           /public/register.php       [L,QSA]
    RewriteRule ^logout/?$             /api/logout.php            [L,QSA]
    RewriteRule ^forgot-password/?$    /public/forgot-password.php [L,QSA]
    RewriteRule ^unsubscribe/?$        /public/unsubscribe.php    [L,QSA]

    RewriteRule ^contact/?$            /public/contact.php        [L,QSA]
    RewriteRule ^privacy/?$            /public/privacy.php        [L,QSA]
    RewriteRule ^terms/?$              /public/terms.php          [L,QSA]
    RewriteRule ^sitemap\.xml$         /public/sitemap.php        [L,QSA]
    RewriteRule ^robots\.txt$          /public/robots.txt         [L]

    # Root → homepage
    RewriteRule ^$                     /public/index.php          [L,QSA]

    # Catch-all: anything unmatched goes to 404
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ /public/404.php [L]
</IfModule>

# ──────────────────────────────────────────────────────────────
# Security Headers
# ──────────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ──────────────────────────────────────────────────────────────
# PHP Settings (LiteSpeed compatible)
# ──────────────────────────────────────────────────────────────
<IfModule mod_php8.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_execution_time 60
    php_value memory_limit 256M
    php_flag session.cookie_httponly On
</IfModule>

# ──────────────────────────────────────────────────────────────
# Caching
# ──────────────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png  "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
</IfModule>

# Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript application/json image/svg+xml
</IfModule>

# Custom error pages
ErrorDocument 403 /public/404.php
ErrorDocument 404 /public/404.php
ErrorDocument 500 /public/404.php
