# cPanel/Shared Hosting Compatible Configuration
# Prevent direct access to directories
Options -Indexes

# Enable compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# File upload settings for shared hosting
php_value upload_max_filesize 50M
php_value post_max_size 55M
php_value max_execution_time 300
php_value memory_limit 256M

# Hide PHP version
<IfModule mod_headers.c>
    Header unset Server
    Header unset X-Powered-By
</IfModule>

# Protect sensitive files
<Files "config*.php">
    Order Allow,Deny
    Deny from all
</Files>

<Files "cleanup.php">
    Order Allow,Deny
    Deny from all
</Files>

# Deny access to class files
<FilesMatch "^(.*\.class\.php|.*\.inc\.php)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Prevent access to sensitive files
<FilesMatch "\.(log|bak|backup|sql|md|txt)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Allow CORS for manifest files (needed for iOS installation)
<FilesMatch "\.(plist|manifest)$">
    Header always set Access-Control-Allow-Origin "*"
    Header always set Content-Type "application/xml"
</FilesMatch>
<Directory "uploads">
    Options -Indexes
    AllowOverride None
</Directory>

<Directory "temp">
    Options -Indexes
    AllowOverride None
</Directory>

<Directory "logs">
    Options -Indexes
    AllowOverride None
    <Files "*">
        Order allow,deny
        Deny from all
    </Files>
</Directory>

# Only allow download of signed IPA files
<Directory "downloads">
    Options -Indexes
    AllowOverride None
    <FilesMatch "\.ipa$">
        Order allow,deny
        Allow from all
    </FilesMatch>
    <FilesMatch "^(?!.*\.ipa$).*$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</Directory>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# File upload size limits
php_value upload_max_filesize 100M
php_value post_max_size 100M
php_value max_execution_time 300
php_value max_input_time 300

# Error handling
php_flag display_errors Off
php_flag log_errors On
php_value error_log logs/error.log

# Disable server signature
ServerTokens Prod
ServerSignature Off

# Prevent access to backup files and other sensitive files
<FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

# Prevent access to version control directories
<DirectoryMatch "^/.*(\.git|\.svn|\.hg|CVS)/">
    Order allow,deny
    Deny from all
    Satisfy All
</DirectoryMatch>
