# ============================================================
# QPro - Apache .htaccess (Namecheap Compatible)
# Works with Apache + LiteSpeed (Namecheap default)
# ============================================================

Options -Indexes
Options +FollowSymLinks

<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # IMPORTANT: Update RewriteBase to match your install path
    # If installed at https://domain.com/qpro/  → RewriteBase /qpro/
    # If installed at https://domain.com/      → RewriteBase /
    # If on subdomain https://app.domain.com/  → RewriteBase /
    RewriteBase /qpro/

    # --------------------------------------------------------
    # 0. Hide .php from URLs — redirect to clean URL
    # --------------------------------------------------------
    RewriteCond %{THE_REQUEST} \s/+(.*?)/?index\.php[\s?] [NC]
    RewriteRule ^ /qpro/%1 [R=301,L,NE]

    RewriteCond %{THE_REQUEST} \s/+(.*?)\.php[\s?] [NC]
    RewriteRule ^ /qpro/%1 [R=301,L,NE]

    # --------------------------------------------------------
    # 1. Block direct access to sensitive folders
    # --------------------------------------------------------
    RewriteRule ^config/            - [F,L]
    RewriteRule ^core/              - [F,L]
    RewriteRule ^models/            - [F,L]
    RewriteRule ^helpers/           - [F,L]
    RewriteRule ^vendor/            - [F,L]
    RewriteRule ^logs/              - [F,L]
    RewriteRule ^install/           - [F,L]
    RewriteRule ^admin/controllers/ - [F,L]
    RewriteRule ^admin/views/       - [F,L]
    RewriteRule ^controllers/       - [F,L]
    RewriteRule ^views/             - [F,L]

    # --------------------------------------------------------
    # 2. Block PHP execution inside uploads folder
    # --------------------------------------------------------
    RewriteRule ^assets/uploads/.*\.(php|php3|php4|php5|phtml|phar)$ - [F,NC,L]

    # --------------------------------------------------------
    # 3. Serve real static FILES directly (NOT directories)
    # --------------------------------------------------------
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^ - [L]

    # --------------------------------------------------------
    # 4. Route everything else to index.php
    # --------------------------------------------------------
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

# Block sensitive file types
<FilesMatch "\.(sql|log|env|sh|bash|bak|conf|ini|json|md)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Allow only specific file types in uploads
<FilesMatch "\.(jpg|jpeg|png|gif|webp|pdf|svg|ico|css|js|woff|woff2|ttf|eot)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

# PHP settings (Namecheap - works with mod_php and LiteSpeed)
<IfModule mod_php8.c>
    php_flag  display_errors      Off
    php_flag  log_errors          On
    php_value upload_max_filesize 16M
    php_value post_max_size       20M
    php_value max_execution_time  120
    php_value memory_limit        256M
    php_value session.cookie_httponly 1
    php_value session.cookie_samesite Lax
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Compression for faster loading
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/json
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

# Browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
</IfModule>
