# =====================================================================
# SGE — public/.htaccess  (web root protector)
# =====================================================================

# Desactivar listado de directorios
Options -Indexes

# ─── BLOQUEAR ARCHIVOS SENSIBLES ─────────────────────────────────────
<FilesMatch "(?i)\.(env|ini|log|sql|sqlite|db|bak|backup|zip|tar|tgz|gz|7z|conf|yaml|yml|lock|pem|key|crt)$">
    Require all denied
</FilesMatch>

<FilesMatch "^(?:\.env|\.htaccess|\.htpasswd|composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|php\.ini|\.user\.ini|\.git|Makefile)$">
    Require all denied
</FilesMatch>

# Bloquear archivos ocultos (empiezan con punto)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# ─── CABECERAS DE SEGURIDAD ──────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Permissions-Policy "geolocation=(self)"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # Content-Security-Policy
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'"
</IfModule>

# ─── BLOQUEAR IP ATACANTE ────────────────────────────────────────────
<IfModule mod_authz_core.c>
    <RequireAll>
        Require all granted
        Require not ip 93.123.109.105
    </RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
    deny from 93.123.109.105
</IfModule>

# ─── FORZAR HTTPS ────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# ─── BLOQUEAR PATRONES DE EXPLOIT ────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    # SQL Injection patterns
    RewriteCond %{QUERY_STRING} (union.*select|select.*from|insert.*into|drop.*table) [NC]
    RewriteRule .* - [F,L]
    # XSS patterns
    RewriteCond %{QUERY_STRING} (<script|javascript:|vbscript:|onload=|onerror=) [NC]
    RewriteRule .* - [F,L]
    # Path traversal
    RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# ─── PROTEGER DIRECTORIO DB (si existiera residual) ──────────────────
<IfModule mod_rewrite.c>
    RewriteRule ^db/ - [F,L]
    RewriteRule ^vendor/ - [F,L]
    RewriteRule ^config/ - [F,L]
    RewriteRule ^app/ - [F,L]
</IfModule>

# ─── PHP: cPanel handler ─────────────────────────────────────────────
# php -- BEGIN cPanel-generated handler, do not edit
# Set the "ea-php82" package as the default "PHP" programming language.
#<IfModule mime_module>
#  AddHandler application/x-httpd-ea-php82 .php .php8 .phtml
#</IfModule>
# php -- END cPanel-generated handler, do not edit

# ─── CACHE PARA ASSETS ESTÁTICOS ─────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
</IfModule>
