# ─── Drawalytics.com · Apache .htaccess ──────────────────────────────────────
# Security · Performance · SEO · Clean URLs

# ─── Security headers ────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    # Prevent MIME sniffing
    Header always set X-Content-Type-Options "nosniff"
    # XSS protection
    Header always set X-XSS-Protection "1; mode=block"
    # Referrer policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    # Hide server info
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>

# ─── Hide server signature ────────────────────────────────────────────────────
ServerSignature Off

# ─── Disable directory indexing ──────────────────────────────────────────────
Options -Indexes

# ─── Default document ────────────────────────────────────────────────────────
DirectoryIndex index.html index.php

# ─── Force HTTPS ─────────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Force HTTPS (Cloudflare-compatible)
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Force non-www
    RewriteCond %{HTTP_HOST} ^www\.drawalytics\.com [NC]
    RewriteRule ^ https://drawalytics.com%{REQUEST_URI} [L,R=301]

    # Remove index.html from URLs
    RewriteCond %{THE_REQUEST} /index\.html[\s?] [NC]
    RewriteRule ^(.*)index\.html$ /$1 [R=301,L]

    # Clean trailing slash consistency
    # Add trailing slash to directories without one
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_URI} !/$
    RewriteCond %{REQUEST_URI} !\.[a-zA-Z0-9]{2,4}$
    RewriteRule ^ %{REQUEST_URI}/ [R=301,L]

</IfModule>

# ─── Protect sensitive files ──────────────────────────────────────────────────
<FilesMatch "(^\.htaccess|\.htpasswd|\.env|stats_meta\.json|generate_stats\.py|generate_pages\.py|scrape_draws\.py|test_pages\.py|compute_stats\.py)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block access to cache folder directly
<IfModule mod_rewrite.c>
    RewriteRule ^cache/ - [F,L]
</IfModule>

# Allow analysis pages to be served normally
# (generated by analyze.php, served as static HTML)

# ─── PHP file protection (analyze.php only accessible internally) ─────────────
# analyze.php is intentionally public but protected by rate limiting
# Block direct access to other PHP files
<FilesMatch "^(?!analyze).*\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ─── Compression ─────────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

# ─── Browser caching ─────────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On

    # HTML - short cache (content updates after draws)
    ExpiresByType text/html                 "access plus 4 hours"

    # CSS / JS - longer cache
    ExpiresByType text/css                  "access plus 1 month"
    ExpiresByType application/javascript    "access plus 1 month"
    ExpiresByType text/javascript           "access plus 1 month"

    # Images
    ExpiresByType image/jpeg                "access plus 1 year"
    ExpiresByType image/png                 "access plus 1 year"
    ExpiresByType image/gif                 "access plus 1 year"
    ExpiresByType image/svg+xml             "access plus 1 month"
    ExpiresByType image/webp                "access plus 1 year"
    ExpiresByType image/x-icon              "access plus 1 year"

    # Fonts
    ExpiresByType font/woff                 "access plus 1 year"
    ExpiresByType font/woff2                "access plus 1 year"

    # Data files - short cache
    ExpiresByType application/json          "access plus 4 hours"
    ExpiresByType text/xml                  "access plus 4 hours"
</IfModule>

# ─── ETags ───────────────────────────────────────────────────────────────────
FileETag None
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>

# ─── Custom error pages ───────────────────────────────────────────────────────
ErrorDocument 404 /404.html
ErrorDocument 403 /404.html
ErrorDocument 500 /404.html

# ─── Prevent image hotlinking ─────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^https?://(www\.)?drawalytics\.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|webp|svg)$ - [F,NC]
</IfModule>

# ─── Block bad bots ───────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_USER_AGENT} (AhrefsBot|MJ12bot|DotBot|SemrushBot|BLEXBot) [NC]
    RewriteRule .* - [F,L]
</IfModule>