# PHP Security Settings
<IfModule mod_php.c>
    # Session cookie settings
    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_value session.cookie_samesite "Strict"
    php_flag session.use_strict_mode on
    php_value session.cookie_lifetime 0
    php_value session.gc_maxlifetime 3600
    php_flag session.use_cookies on
    php_flag session.use_only_cookies on
    
    # Other security settings
    php_flag expose_php off
    php_flag display_errors off
    php_flag allow_url_fopen off
    php_flag allow_url_include off
</IfModule>

# Force HTTPS and handle PHP extensions
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # HTTPS redirection
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # PHP extension handling (from existing file)
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule !.*\.php$ %{REQUEST_FILENAME}.php [QSA,L]
    
    # Redirect rule (from existing file)
    Redirect /salesforce/expertise/community_cloud /salesforce/expertise/experience_cloud.php
    
    # Prevent access to specific directories
    RewriteRule ^(\.git|\.svn) - [F,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"
    
    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer-Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Content Security Policy - Updated to address all violations
    Header always set Content-Security-Policy "default-src 'self'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com https://www.google.com https://www.gstatic.com https://cdnjs.cloudflare.com https://code.jquery.com https://cdn.jsdelivr.net https://unpkg.com https://ajax.googleapis.com https://td.doubleclick.net https://*.cloudflare.com https://*.jsdelivr.net https://*.google-analytics.com https://*.doubleclick.net; \
style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://unpkg.com https://fonts.googleapis.com https://*.cloudflare.com https://*.jsdelivr.net https://*.googleapis.com https://*.googletagmanager.com https://*.gstatic.com; \
img-src 'self' data: https: https://www.caeliusconsulting.com https://www.google-analytics.com www.googletagmanager.com https://*.doubleclick.net; \
font-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net data: https://fonts.gstatic.com https://*.cloudflare.com https://*.jsdelivr.net https://*.gstatic.com; \
connect-src 'self' https://www.google-analytics.com https://stats.g.doubleclick.net https://*.google-analytics.com https://*.doubleclick.net https://www.google.com; \
frame-src 'self' https://www.google.com https://td.doubleclick.net https://www.googletagmanager.com; \
object-src 'none'; \
base-uri 'self'; \
form-action 'self'; \
frame-ancestors 'self'; \
upgrade-insecure-requests; \
block-all-mixed-content"
    
    # CORS settings
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
    
    # Set cookies to HttpOnly and Secure
    Header edit Set-Cookie ^(.*)$ "$1;HttpOnly;Secure;SameSite=Strict"
    
    # Permissions-Policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Ensure all cookies have proper attributes
    Header always edit Set-Cookie ^(.*)$ "$1; HttpOnly; Secure; SameSite=Strict"
</IfModule>

# Disable directory browsing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.env|\.gitignore|composer\.json|composer\.lock|php\.ini">
    Order allow,deny
    Deny from all
</FilesMatch>

# Cache control (from existing file)
<IfModule mod_expires.c>
  ExpiresActive On

  # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"

  # Video
  ExpiresByType video/mp4 "access plus 1 year"
  ExpiresByType video/mpeg "access plus 1 year"

  # CSS, JavaScript
  ExpiresByType text/css "access plus 1 year"
  ExpiresByType text/javascript "access plus 1 year"
  ExpiresByType application/javascript "access plus 1 year"

  # Others
  ExpiresByType application/pdf "access plus 1 day"
  ExpiresByType application/x-shockwave-flash "access plus 1 day"
  ExpiresByType font/ttf "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
</IfModule>

# GZIP compression (from existing file)
<IfModule mod_deflate.c>
  <FilesMatch "\.(ttf|otf|eot|svg|woff|woff2)$" >
    SetOutputFilter DEFLATE
  </FilesMatch>
</IfModule>

# PHP settings
<IfModule mod_php7.c>
    # Disable showing PHP version
    php_flag expose_php Off
    
    # Ensure cookies are secure
    php_value session.cookie_httponly 1
    php_value session.cookie_secure 1
    php_value session.cookie_samesite "Strict"
    
    # Block external file inclusion
    php_flag allow_url_fopen Off
    php_flag allow_url_include Off
</IfModule>

# Prevent directory listing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.env|composer\.json|composer\.lock|package\.json|package-lock\.json|\.gitignore">
    Order allow,deny
    Deny from all
</FilesMatch>

# Prevent against common vulnerabilities
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule .* index.php [F,L]
</IfModule>

# Prevent browser from showing debug logs - Addresses "Site emits visible browser logs"
<IfModule mod_headers.c>
    Header unset X-Powered-By
    Header always unset X-Powered-By
</IfModule>

# Set default charset
AddDefaultCharset UTF-8 