# ============================================================
# PWA / invcount — Apache configuration
# ============================================================

# 1. Manifest MIME type — required for installability
AddType application/manifest+json .json

# 2. Prevent directory listing of all directories
Options -Indexes

# 3. Protect sensitive files
<FilesMatch "^\.(env|git|htaccess|user\.ini|DS_Store)$">
    Require all denied
</FilesMatch>

# 4. HTTPS redirect (safe to remove when behind a TLS terminator / proxy)
<IfModule mod_rewrite.c>
    RewriteEngine On
    # Only force HTTPS if the request is plain HTTP
    RewriteCond %{HTTPS} !=on
    RewriteCond %{ENV:HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
</IfModule>

# 5. HSTS — tell browsers to always use HTTPS
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</IfModule>

# 6. Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options      "nosniff"
    Header always set X-Frame-Options             "SAMEORIGIN"
    Header always set X-XSS-Protection            "1; mode=block"
    Header always set Referrer-Policy             "strict-origin-when-cross-origin"
    Header always set Permissions-Policy          "geolocation=(), microphone=(), camera=()"
</IfModule>

# 7. Static asset cache control
<IfModule mod_headers.c>
    <FilesMatch "\.(css|js|woff2?|ttf|eot)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
    <FilesMatch "\.(png|jpe?g|webp|avif|svg|gif|ico)$">
        Header set Cache-Control "public, max-age=86400"
    </FilesMatch>
</IfModule>
