# ══════════════════════════════════════════════════════════════
# elallasform.hu — public/.htaccess
# ══════════════════════════════════════════════════════════════

Options -Indexes
Options -MultiViews

RewriteEngine On

# ── HTTPS kényszerítés ────────────────────────────────────────
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ── www nélküli canonical ─────────────────────────────────────
RewriteCond %{HTTP_HOST} ^www\.elallasform\.hu [NC]
RewriteRule ^ https://elallasform.hu%{REQUEST_URI} [L,R=301]

# ── Statikus fájlok átmennek ──────────────────────────────────
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# ── Szép URL-ek (opcionális, jövőbeli router-hez) ─────────────
# RewriteRule ^(.*)$ index.php [QSA,L]

# ── Biztonsági fejlécek ───────────────────────────────────────
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

  # HSTS (1 év, csak HTTPS-en)
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

  # CSP — widget form iframe engedélyezése mindenhonnan
  # (A widget/form.php-hoz külön CSP van beállítva PHP-ban)
  Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; font-src https://fonts.gstatic.com; img-src 'self' data:; frame-ancestors 'self';"
</IfModule>

# ── PHP beállítások ───────────────────────────────────────────
<IfModule mod_php.c>
  php_flag display_errors Off
  php_flag log_errors On
  php_value error_log /var/log/elallasform/php_errors.log
  php_value session.cookie_httponly 1
  php_value session.cookie_secure 1
  php_value session.cookie_samesite "Strict"
  php_value session.use_strict_mode 1
</IfModule>

# ── Érzékeny fájlok letiltása ─────────────────────────────────
<FilesMatch "\.(env|log|sql|sh|git|htpasswd)$">
  Order allow,deny
  Deny from all
</FilesMatch>

# ── Tömörítés ─────────────────────────────────────────────────
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json
</IfModule>

# ── Cache statikus fájlokra ───────────────────────────────────
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css              "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"
  ExpiresByType image/png             "access plus 3 months"
  ExpiresByType image/svg+xml         "access plus 3 months"
</IfModule>
