# php -- BEGIN cPanel-generated handler, do not edit
# Set PHP handler for modern PHP versions
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php80 .php .php7 .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit

# ====================================
# SECURITY HEADERS
# ====================================

<IfModule mod_headers.c>
    # Prevent clickjacking attacks
    Header set X-Frame-Options "SAMEORIGIN"
    
    # Prevent content type sniffing
    Header set X-Content-Type-Options "nosniff"
    
    # Enable XSS protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Referrer policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions policy (replaces Feature-Policy)
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Content Security Policy
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.telegram.org *.telegram.me; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' *.telegram.org *.telegram.me; frame-ancestors 'self'"
    
    # Strict Transport Security (enable only after testing)
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

# ====================================
# SECURITY - HIDE SERVER INFO
# ====================================

# Hide server software version
<IfModule mod_headers.c>
    Header unset Server
    Header unset X-Powered-By
    Header unset X-AspNet-Version
    Header unset X-Runtime
    Header unset X-Version
</IfModule>

# ====================================
# PERFORMANCE - CACHING
# ====================================

<IfModule mod_expires.c>
    ExpiresActive On
    
    # Cache images
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    
    # Cache CSS and JS
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    
    # Cache fonts
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/otf "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    
    # Default
    ExpiresDefault "access plus 2 days"
</IfModule>

# ====================================
# GZIP COMPRESSION
# ====================================

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    <IfModule mod_setenvif.c>
        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
        Header append Vary User-Agent
    </IfModule>
</IfModule>

# ====================================
# PROTECT SENSITIVE FILES
# ====================================

# Deny access to .htaccess, .gitignore, config files
<FilesMatch "(^#.*#|\.(htaccess|git|env|php\d*|conf|ini|log|json|sql|yml|yaml|xml)$)">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Protect sensitive directories
<DirectoryMatch "^\.|include|config|\.git">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</DirectoryMatch>

# ====================================
# DISABLE DIRECTORY LISTING
# ====================================

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

# ====================================
# PREVENT COMMON ATTACKS
# ====================================

# Prevent access via non-standard protocols
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Remove trailing slashes (but not for directories)
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.+)/$ /$1 [L,R=301]
    
    # Redirect HTTP to HTTPS
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Prevent access to PHP files outside allowed directories
    RewriteRule "(^|/)\." - [F]
    RewriteRule "\.php$" - [F]
    
    # Allow index.php in bot/user/ directory for webhooks
    <IfModule mod_rewrite.c>
        RewriteBase /
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^(bot/user/index\.php|pay/request\.php|pay/verify\.php|run\.php)$ - [L]
    </IfModule>
</IfModule>

# ====================================
# DISABLE DANGEROUS FUNCTIONS
# ====================================

# Disable_functions should be set in php.ini instead
# This is just for reference - set these in cPanel or server config:
# disable_functions = passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

# ====================================
# CHARSET AND ENCODING
# ====================================

<IfModule mod_mime.c>
    AddCharset UTF-8 .php .html .js .css
    AddType application/json .json
</IfModule>

# ====================================
# LIMIT FILE UPLOADS & OPTIMIZE PHP
# ====================================

<IfModule mod_php.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
    php_value max_execution_time 300
    php_value memory_limit 256M
    php_value opcache.enable 1
    php_value opcache.memory_consumption 128
    php_value opcache.interned_strings_buffer 8
    php_value opcache.max_accelerated_files 4000
    php_value opcache.revalidate_freq 60
    php_value default_charset UTF-8
</IfModule>

# ====================================
# ALLOW SPECIFIC IPS ONLY FOR ADMIN
# ====================================

# Uncomment and modify to restrict admin panel to specific IPs
# <DirectoryMatch "^.*(admin|panel).*">
#     <IfModule mod_authz_core.c>
#         Require ip 127.0.0.1
#         Require ip YOUR_IP_ADDRESS
#     </IfModule>
# </DirectoryMatch>
