# TapTap Card - Security Hardened

# Disable directory browsing
Options -Indexes

# Disable server signature
ServerSignature Off

# Enable Rewrite Engine
RewriteEngine On
RewriteBase /

# Block access to hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect sensitive files
<FilesMatch "(config\.php|\.env|\.htaccess|\.git|composer\.json|package\.json)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Rate limiting za API (opciono - zahtijeva mod_ratelimit)
<IfModule mod_ratelimit.c>
    <Location /api>
        SetOutputFilter RATE_LIMIT
        SetEnv rate-limit 400
    </Location>
</IfModule>

# Admin panel
RewriteRule ^admin/?$ admin.php [L]

# API requests
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api.php [QSA,L]

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Analytics short link
RewriteRule ^a/([a-zA-Z0-9_-]+)-([A-Z0-9]{7})$ api.php [L,QSA]
# Analytics view
RewriteRule ^([a-zA-Z0-9_-]+)/analytics/([a-zA-Z0-9]{32})$ analytics-view.php [L]

# User slugs
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/(admin|api|uploads)/
RewriteRule ^([a-zA-Z0-9_-]+)/?$ card.php?slug=$1 [QSA,L]

# Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header set Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';"
    
    # Remove PHP version
    Header unset X-Powered-By
</IfModule>

# Enable Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Cache static files
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
</IfModule>

# CORS - RESTRIKTIVNO
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "https://card.taptap.ba"
    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type, Authorization"
</IfModule>

# Protect uploads directory
<Directory "uploads">
    <FilesMatch "\.php$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit



# SLUG REDIRECTS START
Redirect 301 /mario-setka /marijo-setka
# SLUG REDIRECTS END
