# ================== ROOT — Hardened (sin normalizar rutas) ==================

# 1) Opciones del servidor
Options -Indexes -MultiViews
AddDefaultCharset UTF-8
FileETag None

<IfModule mod_rewrite.c>
  RewriteEngine On

  # 2) Host canónico + HTTPS (sin bucles)
  RewriteCond %{HTTP_HOST} !^www\.tanbellamipea\.com$ [NC]
  RewriteRule ^ https://www.tanbellamipea.com%{REQUEST_URI} [R=301,L]

  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  # 3) No tocar /admin, /backend ni /api (tienen sus propias reglas)
  RewriteRule ^(admin|backend|api)(/|$) - [L]

  # 4) Bloquear dotfiles (.git, .env, etc.)
  RewriteRule "(^|/)\.(?!well-known/)" - [F]

  # 5) Cortar métodos peligrosos a nivel raíz
  #    (OPTIONS lo maneja /api; aquí lo bloqueamos)
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|DELETE|PUT|PATCH|PROPFIND|OPTIONS)$ [NC]
  RewriteRule ^ - [F]
</IfModule>

# 6) Bloqueo de archivos sensibles y artefactos de deploy
<FilesMatch "\.(env|ya?ml|ini|log|sql(\.gz)?|bak|old|orig|save|swp|git|zip|rar|7z|tar|gz|bz2|xz|DS_Store)$">
  Require all denied
</FilesMatch>
<FilesMatch "(^|/)(composer\.(json|lock)|phpunit\.xml(\.dist)?|artisan|Procfile|Makefile|Dockerfile|docker-compose\.ya?ml)$">
  Require all denied
</FilesMatch>

# 7) Cabeceras de seguridad (CSP en PHP cuando lo definas)
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), browsing-topics=()"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  Header always set Cross-Origin-Resource-Policy "same-origin"

  # HSTS: actívalo SOLO si todo sirve por HTTPS (ideal en toda la raíz)
  # Si no estás 100% seguro de subdominios en HTTPS, quita "includeSubDomains" y "preload".
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

  # Ocultar tecnología
  Header always unset X-Powered-By
</IfModule>

# 8) Caché segura (no cachear HTML; sí assets)
<IfModule mod_expires.c>
  ExpiresActive On
  # HTML sin caché para evitar versiones viejas de la SPA
  ExpiresByType text/html "access plus 0 seconds"

  # Assets con TTL razonable
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType text/javascript "access plus 7 days"
  ExpiresByType image/avif "access plus 30 days"
  ExpiresByType image/webp "access plus 30 days"
  ExpiresByType image/png "access plus 30 days"
  ExpiresByType image/jpeg "access plus 30 days"
  ExpiresByType image/gif "access plus 30 days"
  ExpiresByType image/svg+xml "access plus 30 days"
  ExpiresByType font/woff2 "access plus 30 days"
  ExpiresDefault "access plus 1 day"
</IfModule>

# 9) Compresión (Gzip/Deflate; Brotli si el hosting lo soporta)
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/plain text/html text/css application/javascript application/json application/xml image/svg+xml
</IfModule>
#<IfModule mod_brotli.c>
#  BrotliCompressionQuality 5
#  AddOutputFilterByType BROTLI_COMPRESS text/plain text/html text/css application/javascript application/json application/xml image/svg+xml
#</IfModule>

# 10) MIME extra
<IfModule mod_mime.c>
  AddType image/avif .avif
  AddType image/webp .webp
  AddType font/woff2 .woff2
</IfModule>

# 11) Evitar listados bonitos aunque activen Indexes por error
<IfModule mod_autoindex.c>
  IndexOptions -FancyIndexing
</IfModule>

# 12) Página 403 sobria (opcional)
#ErrorDocument 403 "Acceso denegado."
