Options -Indexes
Options -MultiViews
AddDefaultCharset UTF-8

# ════════════════════════════════════════════════════════════════════
#  CONFIGURACIÓN DE PRODUCCIÓN — editar antes de subir al hosting
# ════════════════════════════════════════════════════════════════════

# ── Variables de entorno (alternativa a .env para cPanel) ────────
# Descomentar y completar con los datos reales del hosting:
#
# SetEnv DB_HOST     localhost
# SetEnv DB_NAME     cpanelusr_academica
# SetEnv DB_USER     cpanelusr_academica
# SetEnv DB_PASS     contraseña_segura
#
# SetEnv APP_URL     https://app.academica.bo
#
# SetEnv MAIL_HOST    mail.tudominio.com
# SetEnv MAIL_USER    info@tudominio.com
# SetEnv MAIL_PASS    contraseña_correo
# SetEnv MAIL_PORT    465
# SetEnv MAIL_ENCRYPT ssl
# SetEnv MAIL_FROM    info@tudominio.com
# SetEnv MAIL_FROM_NAME Academica SRL

# ── RewriteBase ───────────────────────────────────────────────────
# Usar "/" si public/ es la raíz del dominio/subdominio (recomendado).
# Usar "/subdir/public" si el sistema vive en un subdirectorio.

# ── Routing ──────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Archivos y directorios reales se sirven directamente
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

# ── Security headers ─────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
    # HSTS solo cuando ya hay HTTPS configurado
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    # CSP: permite CDNs usados (Bootstrap, jQuery, SweetAlert2, DataTables)
    Header always set Content-Security-Policy "default-src 'self'; \
script-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com; \
style-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com fonts.googleapis.com; \
font-src 'self' fonts.googleapis.com fonts.gstatic.com cdn.jsdelivr.net; \
img-src 'self' data: blob:; \
connect-src 'self'; \
frame-ancestors 'none';"
    # Eliminar header que expone versión del servidor
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>

# ── PHP settings ─────────────────────────────────────────────────────
<IfModule mod_php8.c>
    php_flag  display_errors     Off
    php_flag  log_errors         On
    php_value error_log          ../storage/php_errors.log
    php_value upload_max_filesize 10M
    php_value post_max_size       12M
    php_flag  expose_php          Off
</IfModule>
<IfModule mod_php.c>
    php_flag  display_errors     Off
    php_flag  log_errors         On
    php_value upload_max_filesize 10M
    php_value post_max_size       12M
    php_flag  expose_php          Off
</IfModule>

# ── Cache para assets estáticos ───────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css                "access plus 1 month"
    ExpiresByType application/javascript  "access plus 1 month"
    ExpiresByType image/jpeg              "access plus 1 month"
    ExpiresByType image/png               "access plus 1 month"
    ExpiresByType image/gif               "access plus 1 month"
    ExpiresByType image/webp              "access plus 1 month"
    ExpiresByType image/svg+xml           "access plus 1 month"
    ExpiresByType application/pdf         "access plus 1 week"
    ExpiresByType application/font-woff2  "access plus 6 months"
</IfModule>

# ── Proteger archivos sensibles en public/ ────────────────────────────
<FilesMatch "\.(env|sql|log|md|lock|json|ini|bak)$">
    Order allow,deny
    Deny from all
</FilesMatch>
