# XTend Docs Apache routing and hardening.
# The Docs SPA is hash-routed; the directory root gets a canonical client route.

Options -Indexes -MultiViews
DirectoryIndex index.php

<IfModule mod_rewrite.c>
  RewriteEngine On

  # TRACE is better disabled in server config via TraceEnable Off. Keep a
  # per-directory guard here so accidental enablement is still rejected.
  RewriteCond %{REQUEST_METHOD} ^TRACE$ [NC]
  RewriteRule ^ - [F,L]

  # /docs/ should open the canonical Docs start page, not a directory index.
  RewriteRule ^$ /docs/index.php#/readme [R=302,L,NE]
</IfModule>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  Header always set Cross-Origin-Opener-Policy "same-origin"
  Header always set Cross-Origin-Resource-Policy "same-origin"
  Header always set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
  Header always unset X-Powered-By
</IfModule>

# Hide dotfiles such as .htaccess, .env or editor metadata if they appear here.
<FilesMatch "^\.">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>

# Block common temporary, backup and local configuration artifacts without
# hiding the intentional public Docs sources such as .md, .rmt or menu.json.
<FilesMatch "(?i)(~$|\.bak$|\.config$|\.dist$|\.env$|\.ini$|\.log$|\.orig$|\.save$|\.sql$|\.swp$|\.tmp$)">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>
