# ================== ROOT — DEMO (PHP, sin Passenger) ==================

# Desactivar Passenger en este docroot
<IfModule mod_passenger.c>
  PassengerEnabled off
</IfModule>

# 1) Opciones del servidor
Options -Indexes -MultiViews
AddDefaultCharset UTF-8
FileETag None

<IfModule mod_rewrite.c>
  RewriteEngine On

  # 2) Forzar HTTPS sin cambiar de host
  RewriteCond %{HTTPS} !=on
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L]

  # 3) No tocar /admin, /backend ni /api (tienen sus propias reglas)
  RewriteRule ^(admin|backend|api)(/|$) - [L]

  # 4) Bloquear dotfiles (.git, .env, etc.)
  RewriteRule "(^|/)\.(?!well-known/)" - [F]

  # 5) Cortar métodos peligrosos a nivel raíz
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|DELETE|PUT|PATCH|PROPFIND|OPTIONS)$ [NC]
  RewriteRule ^ - [F]
</IfModule>

# 6) Bloqueo de archivos sensibles y artefactos de deploy
<FilesMatch "\.(env|ya?ml|ini|log|sql(\.gz)?|bak|old|orig|save|swp|git|zip|rar|7z|tar|gz|bz2|xz|DS_Store)$">
  Require all denied
</FilesMatch>
<FilesMatch "(^|/)(composer\.(json|lock)|phpunit\.xml(\.dist)?|artisan|Procfile|Makefile|Dockerfile|docker-compose\.ya?ml)$">
  Require all denied
</FilesMatch>

# 7) Cabeceras de seguridad
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), browsing-topics=()"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  Header always set Cross-Origin-Resource-Policy "same-origin"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
  Header always unset X-Powered-By
</IfModule>

# 8) Caché segura
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/html "access plus 0 seconds"
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType text/javascript "access plus 7 days"
  ExpiresByType image/avif "access plus 30 days"
  ExpiresByType image/webp "access plus 30 days"
  ExpiresByType image/png "access plus 30 days"
  ExpiresByType image/jpeg "access plus 30 days"
  ExpiresByType image/gif "access plus 30 days"
  ExpiresByType image/svg+xml "access plus 30 days"
  ExpiresByType font/woff2 "access plus 30 days"
  ExpiresDefault "access plus 1 day"
</IfModule>

# 9) Compresión
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/plain text/html text/css application/javascript application/json application/xml image/svg+xml
</IfModule>

# 10) MIME extra
<IfModule mod_mime.c>
  AddType image/avif .avif
  AddType image/webp .webp
  AddType font/woff2 .woff2
</IfModule>

# 11) Evitar listados bonitos aunque activen Indexes por error
<IfModule mod_autoindex.c>
  IndexOptions -FancyIndexing
</IfModule>
