# ============================================================
# MediCare HMS - Frontend .htaccess (Apache/cPanel)
# ============================================================
# Place this in: public_html/ or domain root directory
# ============================================================

# Enable Rewrite Engine
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  # Force HTTPS (uncomment in production)
  # RewriteCond %{HTTPS} off
  # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

  # ---- React SPA Routing ----
  # Don't rewrite files or directories that exist
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # Rewrite everything else to index.html (SPA)
  RewriteRule ^ index.html [L]
</IfModule>

# ---- API Proxy (Node.js Backend) ----
# cPanel Node.js app runs on localhost:5000
# This proxies /api/* requests to the Node.js backend
<IfModule mod_proxy.c>
  ProxyPass /api http://127.0.0.1:5000/api
  ProxyPassReverse /api http://127.0.0.1:5000/api

  ProxyPass /uploads http://127.0.0.1:5000/uploads
  ProxyPassReverse /uploads http://127.0.0.1:5000/uploads

  # WebSocket proxy for Socket.io
  ProxyPass /socket.io ws://127.0.0.1:5000/socket.io
  ProxyPassReverse /socket.io ws://127.0.0.1:5000/socket.io
</IfModule>

# ---- Security Headers ----
<IfModule mod_headers.c>
  # XSS Protection
  Header set X-XSS-Protection "1; mode=block"

  # Prevent MIME-type sniffing
  Header set X-Content-Type-Options "nosniff"

  # Clickjacking protection
  Header set X-Frame-Options "SAMEORIGIN"

  # HSTS (force HTTPS - uncomment after SSL setup)
  # Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

  # Referrer policy
  Header set Referrer-Policy "strict-origin-when-cross-origin"

  # Content Security Policy (adjust as needed)
  Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' ws: wss:; media-src 'self' blob:;"
</IfModule>

# ---- Caching ----
<IfModule mod_expires.c>
  ExpiresActive On

  # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"

  # CSS, JavaScript
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"

  # Fonts
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"

  # HTML
  ExpiresByType text/html "access plus 0 seconds"
</IfModule>

# ---- Compression ----
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml
</IfModule>

# ---- Block access to sensitive files ----
<FilesMatch "\.(env|json|lock|md|gitignore|htaccess)$">
  Order allow,deny
  Deny from all
</FilesMatch>

# ---- Directory listing off ----
Options -Indexes
