# Admin toolkit bypass - allow direct access
RewriteCond %{REQUEST_FILENAME} rashwan_admin_panel.php
RewriteRule ^ - [L]


# ========================================
# SECURITY HEADERS (Updated - No Duplicates)
# ========================================
<IfModule mod_headers.c>
    # Remove any existing headers first to prevent duplicates
    Header unset X-Frame-Options
    Header unset X-Content-Type-Options
    Header unset X-XSS-Protection
    Header unset Referrer-Policy
    Header unset Permissions-Policy
    
    # Now set them once
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Add HSTS (forces HTTPS for 1 year)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # Add Content Security Policy (tight security)
    # Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self';"
    Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: https: http:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: http:; style-src 'self' 'unsafe-inline' https: http:; img-src 'self' data: https: http:; font-src 'self' data: https: http:; connect-src 'self' https: http:;"

    # Remove server identification
    Header unset Server
    Header unset X-Powered-By
</IfModule>

# ========================================
# HIDE PHP ERRORS (Production Only!)
# ========================================
php_flag display_errors Off
php_flag log_errors On
php_value error_log /home/ashranco/error_logs/php_error.log

# ========================================
# BLOCK SENSITIVE FILES
# ========================================
<FilesMatch "\.(sql|bak|backup|log|sh|md|git|env|ini)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>



# Prevent access to hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Prevent directory browsing
Options -Indexes

# Default document
DirectoryIndex index.php

# Enable URL Rewriting
RewriteEngine On
RewriteBase /

# If the request is for a real file or directory, serve it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Otherwise, route everything through index.php
RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]

# Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>