# Deny access to sensitive files
<Files ".env">
    Order allow,deny
    Deny from all
</Files>

<Files "*.md">
    Order allow,deny
    Deny from all
</Files>

<Files ".gitignore">
    Order allow,deny
    Deny from all
</Files>

# Enable rewrite engine
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /doc/
    
    # ===== CLEAN URL RULES =====
    
    # Remove .php extension from any file
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}\.php -f
    RewriteRule ^([^/]+)$ $1.php [L]
    
    # Clean URLs without modules/ prefix
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(login|register|dashboard|forum|admin|post|thread|ia|hr|ctd)$ modules/$1.php [L,QSA]
    
    # Redirect old URLs to clean URLs (301 permanent redirect)
    RewriteCond %{THE_REQUEST} /modules/([^.]+)\.php [NC]
    RewriteRule ^ /%1 [R=301,L]
    
    RewriteCond %{THE_REQUEST} /([^.]+)\.php [NC]
    RewriteRule ^ /%1 [R=301,L]
    
    # Forms folder clean URLs
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^forms/(escorting_report|bolingbroke_activity|parole_form)$ forms/$1.php [L,QSA]
    
    # Redirect forms with .php to clean URL
    RewriteCond %{THE_REQUEST} /forms/([^.]+)\.php [NC]
    RewriteRule ^ /forms/%1 [R=301,L]
    
    # Redirect to HTTPS (uncomment in production)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Prevent directory listing
    Options -Indexes
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # Protect against clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # XSS Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Content Type Options
    Header always set X-Content-Type-Options "nosniff"
    
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Disable PHP execution in image directories
<FilesMatch "\.(php|php3|php4|php5|phtml)$">
    <If "%{REQUEST_URI} =~ m#^/doc/assets/images/#">
        Order allow,deny
        Deny from all
    </If>
</FilesMatch>
