# OSCE Nexus – Apache hardening (cPanel)

# --- PHP handler (kept from cPanel-generated handler) ---
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>

# --- Default index ---
DirectoryIndex index.php login.php

# --- Block direct access to sensitive files ---
<FilesMatch "^(\.osce_env|\.env|\.env\..*|.*\.sql|.*\.md|.*\.log|error_log|composer\.(json|lock)|README.*|DEPLOYMENT.*)$">
  Require all denied
</FilesMatch>

# --- Block PHP libraries and migrations from being requested directly ---
RewriteEngine On
RewriteRule ^lib/  - [F,L]
RewriteRule ^migrations/  - [F,L]
RewriteRule ^env_loader\.php$ - [F,L]
RewriteRule ^make_hash\.php$  - [F,L]

# --- Disable directory listings ---
Options -Indexes -MultiViews

# --- Force HTTPS (uncomment after SSL is verified working) ---
# RewriteCond %{HTTPS} !=on
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# --- Standard hardening headers (defense in depth – PHP also sets these) ---
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# --- Cache static assets ---
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/png  "access plus 7 days"
  ExpiresByType image/jpeg "access plus 7 days"
  ExpiresByType image/svg+xml "access plus 7 days"
  ExpiresByType text/css   "access plus 1 day"
  ExpiresByType application/javascript "access plus 1 day"
  ExpiresByType audio/mpeg "access plus 30 days"
</IfModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php82” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php82 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
