# Apache .htaccess for security
# This file protects sensitive files and enforces security rules

# Protect config directory files from direct access
<FilesMatch "^(config\.php|database\.php|telegram\.php)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect sensitive utility files
<FilesMatch "^(setup_webhook\.php|\.htaccess)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Enable PHP error logging (disable display in production)
php_flag display_errors Off
php_flag log_errors On

# Security headers (uncomment in production)
# <IfModule mod_headers.c>
#     Header set X-Content-Type-Options "nosniff"
#     Header set X-Frame-Options "SAMEORIGIN"
#     Header set X-XSS-Protection "1; mode=block"
# </IfModule>

# Force HTTPS for webhook (uncomment in production)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteCond %{REQUEST_URI} ^/webhook/
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
