# =============== /backend — HARDENED (seguro y compatible) ===============
Options -Indexes -MultiViews
AddDefaultCharset UTF-8

<IfModule mod_rewrite.c>
  RewriteEngine On

  # 1) Solo métodos necesarios (bloquea TRACE/PUT/DELETE, etc.)
  RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS)$ [NC]
  RewriteRule ^ - [F]

  # 2) Bloquear dotfiles (.git, .env, etc.)
  RewriteRule "(^|/)\.(?!well-known/)" - [F]

  # 3) Bloquear directorios internos comunes
  RewriteRule ^(vendor|tests|build|cache)(/|$) - [F]

  # 4) Bloquear backups/artefactos peligrosos
  RewriteRule \.(?:bak|old|orig|save|swp|swo|sql|tar|t?gz|zip|rar|7z)$ - [F,NC]

  # 5) Cortar traversal o null bytes en request o query
  RewriteCond %{THE_REQUEST} (\.\./|%00) [OR]
  RewriteCond %{QUERY_STRING} (\.\./|%2e%2e|%00) [NC]
  RewriteRule ^ - [F]

  # 6) (Opcional) Normalizar si llegara una ruta absoluta del sistema
  #RewriteRule ^home/tanbella/public_html/backend/(.*)$ /backend/$1 [R=301,L]
</IfModule>

# 7) Bloqueo de archivos internos/sensibles
<FilesMatch "^(config|db|guard|diag)(\..*)?$">
  Require all denied
</FilesMatch>
<FilesMatch "^(composer\.(json|lock)|phpunit\.xml(\.dist)?|artisan|\.env|error_log)$">
  Require all denied
</FilesMatch>

# 8) Permitir PHP del backend (tu guard controla permisos)
<FilesMatch "\.php$">
  Require all granted
</FilesMatch>

# 9) Cabeceras de seguridad + no-cache
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set X-Permitted-Cross-Domain-Policies "none"
  # HSTS si TODO sirve por HTTPS (puedes subirlo a la raíz también)
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

  # Evitar caché en respuestas del backend
  Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
  Header always set Pragma "no-cache"

  # Ocultar tecnología
  Header always unset X-Powered-By
</IfModule>

# 10) CORS — desactivado; whitelist opcional
#<IfModule mod_headers.c>
#  SetEnvIf Origin "^https://(www\.)?tanbellamipea\.com$" ORIGIN_OK=$0
#  Header always set Access-Control-Allow-Origin "%{ORIGIN_OK}e" env=ORIGIN_OK
#  Header always set Vary "Origin"
#  Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
#  Header always set Access-Control-Allow-Headers "Content-Type, X-CSRF-Token"
#  Header always set Access-Control-Allow-Credentials "false"
#</IfModule>

# 11) (Opcional) Límite de subida (ajusta a tus Excel)
#LimitRequestBody 10485760  # 10 MB

# 12) (Opcional) Flags PHP si el hosting lo permite
#<IfModule mod_php*.c>
#  php_flag display_errors Off
#  php_value session.cookie_httponly 1
#  php_value session.cookie_secure 1
#  php_value session.cookie_samesite "Lax"
#</IfModule>

# 13) Evitar listados bonitos aunque activen Indexes
<IfModule mod_autoindex.c>
  IndexOptions -FancyIndexing
</IfModule>

# 14) Página 403 sobria (opcional)
#ErrorDocument 403 "Acceso denegado."
