# =================================================================
# SECURE .htaccess - Built Step by Step
# Each security layer is clearly marked
# =================================================================

# BASIC SECURITY (Always Active)
<IfModule mod_headers.c>
    Header always set X-Frame-Options DENY
    Header always set X-Content-Type-Options nosniff
    Header always set X-XSS-Protection "1; mode=block"
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>

Options -Indexes

# =================================================================
# STEP 1: Prevent access to sensitive files ✅ WORKING
# =================================================================
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|sql|conf)$">
    Require all denied
</FilesMatch>

# =================================================================
# STEP 2: Block SQL injection attempts ✅ WORKING
# =================================================================
RewriteEngine On
RewriteCond %{QUERY_STRING} (union.*select.*\() [NC,OR]
RewriteCond %{QUERY_STRING} (select.*from.*information_schema) [NC,OR]
RewriteCond %{QUERY_STRING} (select.*from.*sysobjects) [NC,OR]
RewriteCond %{QUERY_STRING} (select.*from.*syscolumns) [NC,OR]
RewriteCond %{QUERY_STRING} (select.*from.*mysql\.user) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [NC]
RewriteRule ^(.*)$ - [F,L]

# =================================================================
# STEP 3: Block XSS attempts (SOFT VERSION) ✅ ACTIVE
# =================================================================
# More targeted XSS protection - only block obvious attacks
RewriteCond %{QUERY_STRING} (<script[^>]*>.*</script>) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:[^\s]+) [NC,OR]
RewriteCond %{QUERY_STRING} (vbscript:[^\s]+) [NC,OR]
RewriteCond %{QUERY_STRING} (data:text/html) [NC]
RewriteRule ^(.*)$ - [F,L]

# =================================================================
# STEP 4: Block hacking tools but ALLOW okhttp ✅ ACTIVE
# =================================================================
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|BBBike|wget|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner|python-requests|Go-http-client|java|scrapy) [NC]
RewriteRule ^(.*)$ - [F,L]

# =================================================================
# IMPROVEMENT 1: Content Security Policy (CSP) STRICT ✅ ACTIVE
# =================================================================
# Strict CSP for maximum security - blocks inline scripts and external resources
<IfModule mod_headers.c>
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://api.transub.dz; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
</IfModule>

# =================================================================
# IMPROVEMENT 2: HSTS (HTTP Strict Transport Security) ✅ ACTIVE
# =================================================================
# Forces all connections to use HTTPS permanently
# Protects against protocol downgrade attacks
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

# =================================================================
# IMPROVEMENT 3: Advanced Rate Limiting (mod_evasive) ❌ DISABLED
# =================================================================
# Module mod_evasive24 not available on server - causes 500 error
# <IfModule mod_evasive24.c>
#     DOSHashTableSize    2097152
#     DOSPageCount        5
#     DOSPageInterval     1
#     DOSSiteCount        50
#     DOSSiteInterval     1
#     DOSBlockingPeriod   600
#     DOSEmailNotify      r.benamer@transub.dz
#     DOSLogDir           /var/log/mod_evasive
# </IfModule>

# =================================================================
# GEOLOCATION: DISABLED FOR TESTING - WILL BE RE-ACTIVATED
# =================================================================
# Temporarily disabled to allow testing
# Will be re-enabled once IP ranges are properly tested

# Algerian IP protection - DISABLED FOR NOW
# Will be re-enabled after confirming it works for all Algerian providers

# =================================================================
# NOTE: Geo-blocking will be re-enabled after testing
# =================================================================

# =================================================================
# FINAL STATUS: Maximum Security Active ✅
# All protections enabled: SQL, XSS, Hacking tools, DDoS, Geo-blocking
# =================================================================