# ─────────────────────────────────────────────────────────────────────────────
#  Laravel API — api.svishtov.bg
#  Apache must have mod_rewrite + mod_headers enabled.
# ─────────────────────────────────────────────────────────────────────────────

Options -MultiViews -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine On

    # ── Pass Authorization header to PHP (CRITICAL for Laravel Sanctum) ──
    # Without this, Bearer tokens are stripped by Apache and all API
    # calls return 401 Unauthorized.
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Pass X-XSRF-Token header (for Axios CSRF requests)
    RewriteCond %{HTTP:x-xsrf-token} .
    RewriteRule .* - [E=HTTP_X_XSRF_TOKEN:%{HTTP:X-XSRF-Token}]

    # Remove trailing slashes (except for real directories)
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Route everything through Laravel front controller
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

# ── Security headers ───────────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options  "nosniff"
    Header always set X-Frame-Options         "DENY"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Referrer-Policy         "strict-origin-when-cross-origin"
    Header always set X-Permitted-Cross-Domain-Policies "none"

    # Remove server fingerprint headers
    Header unset X-Powered-By
    Header always unset X-Powered-By
</IfModule>

# ── Deny access to sensitive files ────────────────────────────────────────
<FilesMatch "^\.env|^\.git|composer\.(json|lock)|package(-lock)?\.json|artisan$">
    Require all denied
</FilesMatch>

# ── PHP optimisations ─────────────────────────────────────────────────────
<IfModule mod_php.c>
    php_value upload_max_filesize   20M
    php_value post_max_size         20M
    php_value max_execution_time    60
    php_value memory_limit          256M
</IfModule>
