# ================== /api — HARDENED (compat sin romper UI) ==================
Options -Indexes -MultiViews
AddDefaultCharset UTF-8
FileETag None

<IfModule mod_rewrite.c>
  RewriteEngine On

  # 1) Preflight pasa sin tocar PHP (deja solo headers, sin 204 explícito)
  #    Si usas CORS whitelist abajo, el preflight traerá los headers correctos.
  RewriteCond %{REQUEST_METHOD} =OPTIONS
  RewriteRule ^ - [L]

  # 2) Bloquear métodos no permitidos (evita TRACE/PUT/DELETE, etc.)
  #    Nota: usar R=405 forzaría redirect. Mejor denegar en seco.
  RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS)$ [NC]
  RewriteRule ^ - [F,L]

  # 3) Bloquear dotfiles (.git, .env, etc.)
  RewriteRule "(^|/)\.(?!well-known/)" - [F]

  # 4) Bloquear backups/artefactos peligrosos y dumps
  RewriteRule \.(?:bak|old|orig|save|swp|swo|sql|tar|t?gz|zip|rar|7z)$ - [F,NC]

  # 5) Normalizar URLs si se filtrara una ruta física del sistema (opcional)
  #RewriteRule ^home/tanbella/public_html/api/(.*)$ /api/$1 [R=301,L]

  # 6) Cortar traversal y null bytes en request o query string
  RewriteCond %{THE_REQUEST} (\.\./|%00) [OR]
  RewriteCond %{QUERY_STRING} (\.\./|%2e%2e|%00) [NC]
  RewriteRule ^ - [F]
</IfModule>

# 7) Bloqueo de internos sensibles
<FilesMatch "(^|/)(config|db|guard|diag|error_log|composer\.(json|lock)|phpunit\.xml(\.dist)?|artisan|env|\.env|\.git|\.svn)(|\.php)$">
  Require all denied
</FilesMatch>
<Files "error_log">
  Require all denied
</Files>

# 8) Evitar exposición de fuentes PHP no estándar
<FilesMatch "\.(phps|phtml|phar)$">
  Require all denied
</FilesMatch>

# 9) Permitir el resto de endpoints PHP (la app controla auth/CSRF)
<FilesMatch "\.php$">
  Require all granted
</FilesMatch>

# 10) Cabeceras sobrias + no-cache para API
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "DENY"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  Header always set Cross-Origin-Resource-Policy "same-origin"

  # Evitar caché en respuestas del API
  Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
  Header always set Pragma "no-cache"

  # HSTS solo si TODO el sitio es HTTPS (ideal también en la raíz)
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

  # Ocultar tecnología
  Header always unset X-Powered-By
</IfModule>

# 11) CORS — APAGADO por defecto (same-origin). Si necesitas whitelist, descomenta:
#<IfModule mod_headers.c>
#  # Permitir origen propio con/ sin www (agrega staging si aplica)
#  SetEnvIf Origin "^https://(www\.)?tanbellamipea\.com$" ORIGIN_OK=$0
#  Header always set Access-Control-Allow-Origin "%{ORIGIN_OK}e" env=ORIGIN_OK
#  Header always set Vary "Origin"
#  Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"
#  Header always set Access-Control-Allow-Headers "Content-Type, X-CSRF-Token"
#  Header always set Access-Control-Allow-Credentials "false"
#</IfModule>

# 12) (Opcional) endurecer cookies de sesión si estás en mod_php
#<IfModule mod_php*.c>
#  php_flag display_errors Off
#  php_value session.cookie_httponly 1
#  php_value session.cookie_secure 1
#  php_value session.cookie_samesite "Lax"
#</IfModule>

# 13) Página 403 sobria (opcional)
#ErrorDocument 403 "Prohibido."
