# ===========================================
# Family Park Hotels - Apache Configuration
# Redirects all requests to /public folder
# ===========================================

<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Force HTTPS in production
    RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} !^localhost
    RewriteCond %{HTTP_HOST} !^127\.0\.0\.1
    RewriteCond %{HTTP_HOST} !^10\.0\.2\.2
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Redirect all requests to public folder
    RewriteCond %{REQUEST_URI} !^/public/
    RewriteRule ^(.*)$ /public/$1 [L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # XSS Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Remove PHP version from headers
    Header unset X-Powered-By
</IfModule>

# Disable directory listing
Options -Indexes

# Deny access to sensitive files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "(composer\.(json|lock)|package(-lock)?\.json|artisan|\.env|\.git)$">
    Order allow,deny
    Deny from all
</FilesMatch>