# ══════════════════════════════════════════════════════════════════════════════
# .htaccess AAZ Accounting – o2switch hébergement mutualisé
# Active Passenger pour Python + headers de sécurité + règles Apache
# ══════════════════════════════════════════════════════════════════════════════

# ── Passenger (Python WSGI) ───────────────────────────────────────────────────
PassengerEnabled On
PassengerAppRoot /home/TONCOMPTE/aaz_accounting
PassengerAppEnv production
PassengerPython /home/TONCOMPTE/aaz_accounting/venv/bin/python3
PassengerStartupFile passenger_wsgi.py
PassengerRestartDir /home/TONCOMPTE/aaz_accounting/tmp

# ── HTTPS forcé (o2switch gère le certificat) ────────────────────────────────
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ── Headers de sécurité ───────────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"
    # Masquer la version Apache
    Header unset Server
    Header always set Server "AAZ"
</IfModule>

# ── Bloquer accès aux fichiers sensibles ──────────────────────────────────────
<FilesMatch "\.(env|py|pyc|cfg|ini|log|sql|sh|key|pem)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Bloquer accès aux dossiers sensibles
RedirectMatch 403 ^/uploads_secure/
RedirectMatch 403 ^/exports_secure/
RedirectMatch 403 ^/logs/
RedirectMatch 403 ^/venv/
RedirectMatch 403 ^/\.

# ── Cache fichiers statiques ──────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 30 days"
    ExpiresByType application/javascript "access plus 30 days"
    ExpiresByType image/png "access plus 30 days"
    ExpiresByType image/svg+xml "access plus 30 days"
</IfModule>

# ── Compression ───────────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json
</IfModule>

# ── Taille upload ─────────────────────────────────────────────────────────────
php_value upload_max_filesize 25M
php_value post_max_size 25M

# ── Redirection erreurs vers Flask ────────────────────────────────────────────
ErrorDocument 404 /errors/404
ErrorDocument 500 /errors/500
ErrorDocument 403 /errors/403
