# XTend Docs Apache routing and hardening.
# The Docs SPA is history-routed; deep links fall back to the PHP shell.

Options -Indexes -MultiViews
DirectoryIndex index.php

<IfModule mod_rewrite.c>
  RewriteEngine On

  # TRACE is better disabled in server config via TraceEnable Off. Keep a
  # per-directory guard here so accidental enablement is still rejected.
  RewriteCond %{REQUEST_METHOD} ^TRACE$ [NC]
  RewriteRule ^ - [F,END]

  # Serve real files and directories directly.
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [END]

  # HTML5 History API fallback for clean Docs slugs such as /docs/de/readme.
  # Important: this is an internal rewrite, not an HTTP redirect.
  RewriteRule ^ index.php [END,QSA]
</IfModule>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  Header always set Cross-Origin-Opener-Policy "same-origin"
  Header always set Cross-Origin-Resource-Policy "same-origin"
  Header always set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()"
  Header always unset X-Powered-By
</IfModule>

# Hide dotfiles such as .htaccess, .env or editor metadata if they appear here.
<FilesMatch "^\.">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>

# Block common temporary, backup and local configuration artifacts without
# hiding the intentional public Docs sources such as .md, .rmt or menu.json.
<FilesMatch "(?i)(~$|\.bak$|\.config$|\.dist$|\.env$|\.ini$|\.log$|\.orig$|\.save$|\.sql$|\.swp$|\.tmp$)">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>
