# In Umbra — Apache config (for shared hosting)

# Rewrite sitemap.xml to PHP generator
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^sitemap\.xml$ sitemap.xml.php [L]
</IfModule>

# Remove any server-level X-Robots-Tag (we want to be indexed)
<IfModule mod_headers.c>
    Header unset X-Robots-Tag
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Cache static assets
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/svg+xml "access plus 30 days"
</IfModule>

# Block access to sensitive directories and files
<IfModule mod_rewrite.c>
    RewriteRule ^(includes|sql)/ - [F,L]
    RewriteRule ^api_adapter\.py$ - [F,L]
    RewriteRule ^setup\.php$ - [F,L]
</IfModule>

# Fix #10: HSTS and Fix #12: CSP for Apache
<IfModule mod_headers.c>
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
</IfModule>
