# Risk Assessment System - Apache Configuration

# Set directory index
DirectoryIndex index.php index.html

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    
    # Redirect to HTTPS (if SSL is available)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Protect includes directory
    RewriteRule ^includes/ - [F,L]
    
    # Protect reports directory from direct access
    RewriteRule ^reports/ - [F,L]
    
    # Prevent access to sensitive files
    RewriteRule ^(.*/)?\.git/ - [F,L]
    RewriteRule ^(.*/)?\.env$ - [F,L]
    RewriteRule ^(.*/)?composer\.(json|lock)$ - [F,L]
    RewriteRule ^(.*/)?package(-lock)?\.json$ - [F,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # Prevent MIME type sniffing
    Header set X-Content-Type-Options "nosniff"
    
    # Prevent clickjacking
    Header set X-Frame-Options "SAMEORIGIN"
    
    # Enable XSS protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Remove server signature
    Header unset Server
    Header unset X-Powered-By
    
    # Content Security Policy (adjust as needed)
    # Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:;"
</IfModule>

# Disable directory browsing
Options -Indexes

# Prevent access to PHP files in uploads directory (if you add one)
<FilesMatch "\.php$">
    <If "%{REQUEST_URI} =~ m#^/uploads/#">
        Require all denied
    </If>
</FilesMatch>

# Set default charset
AddDefaultCharset UTF-8

# Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    
    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    
    # Fonts
    ExpiresByType font/woff2 "access plus 1 month"
    ExpiresByType font/woff "access plus 1 month"
    ExpiresByType font/ttf "access plus 1 month"
    
    # PDFs
    ExpiresByType application/pdf "access plus 1 week"
</IfModule>

# PHP settings (if not set in php.ini)
<IfModule mod_php7.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_execution_time 300
    php_value max_input_time 300
    php_value memory_limit 256M
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log /var/log/php_errors.log
</IfModule>
