# GHL Toolset - Performance & Security Configuration
# Apache .htaccess for production deployment

# Enable URL Rewriting
RewriteEngine On

# Security Headers
<IfModule mod_headers.c>
    # Content Security Policy - Strict but allows necessary third-party scripts
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com https://pagead2.googlesyndication.com https://cdnjs.cloudflare.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://*.googleusercontent.com https://www.google-analytics.com https://pagead2.googlesyndication.com data:; connect-src 'self' https://www.google-analytics.com https://analytics.google.com; frame-src https://googleads.g.doubleclick.net; object-src 'none'; base-uri 'self'; form-action 'self';"
    
    # Security Headers
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), autoplay=(self)"
    
    # HSTS - Only enable if you have SSL
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    
    # Remove server information
    Header unset Server
    Header unset X-Powered-By
    
    # CORS for fonts and assets
    <FilesMatch "\.(woff2?|eot|ttf|otf|svg)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# Compression
<IfModule mod_deflate.c>
    # Compress HTML, CSS, JavaScript, Text, XML and fonts
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font
    AddOutputFilterByType DEFLATE application/x-font-opentype
    AddOutputFilterByType DEFLATE application/x-font-otf
    AddOutputFilterByType DEFLATE application/x-font-truetype
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/x-icon
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE application/json
    
    # Remove browser bugs (only needed for really old browsers)
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    Header append Vary User-Agent
</IfModule>

# Alternative compression for nginx-style servers
<IfModule mod_brotli.c>
    BrotliCompressionLevel 6
    BrotliCompressionWindowSize 18
    BrotliCompressionMaxInputBlock 24
    
    AddOutputFilterByType BROTLI_COMPRESS text/plain
    AddOutputFilterByType BROTLI_COMPRESS text/css
    AddOutputFilterByType BROTLI_COMPRESS text/xml
    AddOutputFilterByType BROTLI_COMPRESS text/javascript
    AddOutputFilterByType BROTLI_COMPRESS application/javascript
    AddOutputFilterByType BROTLI_COMPRESS application/json
    AddOutputFilterByType BROTLI_COMPRESS application/xml
    AddOutputFilterByType BROTLI_COMPRESS application/rss+xml
    AddOutputFilterByType BROTLI_COMPRESS application/atom+xml
    AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
</IfModule>

# Caching
<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    
    # Fonts
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/eot "access plus 1 year"
    ExpiresByType font/otf "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"
    ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
    ExpiresByType application/x-font-ttf "access plus 1 year"
    
    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    
    # HTML
    ExpiresByType text/html "access plus 1 hour"
    
    # JSON and XML
    ExpiresByType application/json "access plus 1 day"
    ExpiresByType application/xml "access plus 1 day"
    ExpiresByType text/xml "access plus 1 day"
    
    # Default
    ExpiresDefault "access plus 1 week"
</IfModule>

# Cache-Control Headers
<IfModule mod_headers.c>
    # Static assets with long cache
    <FilesMatch "\.(css|js|png|jpg|jpeg|gif|svg|woff2|woff|ttf|eot|ico|webp)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
    
    # HTML files - short cache
    <FilesMatch "\.(html|php)$">
        Header set Cache-Control "public, max-age=3600, must-revalidate"
    </FilesMatch>
    
    # JSON and API responses
    <FilesMatch "\.(json|xml)$">
        Header set Cache-Control "public, max-age=86400"
    </FilesMatch>
</IfModule>

# ETag removal for better caching
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>
FileETag None

# Keep-Alive
<IfModule mod_headers.c>
    Header set Connection keep-alive
</IfModule>

# URL Redirects and Rewrites
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Force HTTPS (uncomment when SSL is ready)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Force WWW or non-WWW (choose one)
    # RewriteCond %{HTTP_HOST} !^www\. [NC]
    # RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Remove trailing slashes from non-directories
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]
    
    # Clean URLs - remove .php extension
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^([^.]+)$ $1.php [NC,L]
    
    # Redirect .php to clean URLs
    RewriteCond %{THE_REQUEST} /([^.]+)\.php [NC]
    RewriteRule ^ /%1 [NC,L,R=301]
</IfModule>

# File Protection
<FilesMatch "\.(env|log|htaccess|htpasswd|ini|po|pot|sh|sql|tgz|gz|tar|bak|backup|tmp|temp)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect sensitive directories
<IfModule mod_rewrite.c>
    RewriteRule ^includes/ - [F,L]
    RewriteRule ^lib/ - [F,L]
    RewriteRule ^tests/ - [F,L]
    RewriteRule ^logs/ - [F,L]
    RewriteRule ^backup/ - [F,L]
</IfModule>

# Prevent access to config files
<Files "config*.php">
    Order allow,deny
    Deny from all
</Files>

# Block access to version control
<IfModule mod_rewrite.c>
    RewriteRule ^\.git - [F,L]
    RewriteRule ^\.svn - [F,L]
</IfModule>

# Limit file upload size (if needed)
# php_value upload_max_filesize 2M
# php_value post_max_size 2M

# Performance: Enable KeepAlive
<IfModule mod_setenvif.c>
    SetEnvIf Request_URI ".*" keep_alive=1
</IfModule>

# MIME Types
<IfModule mod_mime.c>
    # Web fonts
    AddType application/font-woff2 .woff2
    AddType application/font-woff .woff
    AddType application/vnd.ms-fontobject .eot
    AddType font/truetype .ttf
    AddType font/opentype .otf
    
    # Web app manifest
    AddType application/manifest+json .webmanifest
    AddType application/x-web-app-manifest+json .webapp
    
    # Media files
    AddType video/mp4 .mp4
    AddType video/webm .webm
    AddType audio/mp3 .mp3
    AddType audio/ogg .ogg
    
    # SVG
    AddType image/svg+xml .svg .svgz
    AddEncoding gzip .svgz
    
    # WebP
    AddType image/webp .webp
    
    # JSON
    AddType application/json .json
    AddType application/ld+json .jsonld
</IfModule>

# Robots.txt and sitemap accessibility
<Files "robots.txt">
    Order allow,deny
    Allow from all
    Header set Cache-Control "public, max-age=86400"
</Files>

<Files "sitemap.xml">
    Order allow,deny
    Allow from all
    Header set Cache-Control "public, max-age=86400"
</Files>

# Error Pages (customize these paths)
ErrorDocument 404 /404.php
ErrorDocument 403 /403.php
ErrorDocument 500 /500.php

# Character encoding
AddDefaultCharset UTF-8

# Server signature
ServerSignature Off

# Hotlink Protection (uncomment and customize)
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain\.com [NC]
# RewriteRule \.(jpg|jpeg|png|gif|svg|css|js)$ - [F]

# Rate Limiting (basic protection)
<IfModule mod_evasive24.c>
    DOSHashTableSize    2048
    DOSPageCount        5
    DOSPageInterval     1
    DOSSiteCount        50
    DOSSiteInterval     1
    DOSBlockingPeriod   60
</IfModule>

# Development/Debug settings (comment out in production)
# php_flag display_errors Off
# php_flag log_errors On
# php_value error_log logs/php_errors.log