# .htaccess - Configuration Apache pour l'API cookies
# Groupe 4 Sécurité

# ===== CONFIGURATION DE BASE =====
Options -Indexes
Options -MultiViews
Options +FollowSymLinks

# ===== RÉÉCRITURE D'URL =====
RewriteEngine On
RewriteBase /

# Forcer HTTPS (optionnel - décommentez si besoin)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

# ===== ROUTAGE API =====
# Route: /api/cookies/* → cookies_api.php
RewriteRule ^api/cookies/(.*)$ cookies_api.php?action=$1 [QSA,L]

# Route: /cookies/* → cookies_api.php (compatibilité)
RewriteRule ^cookies/(.*)$ cookies_api.php?action=$1 [QSA,L]

# Route racine → page de test
RewriteRule ^$ cookies_api.php?action=test [L]

# ===== SÉCURITÉ =====
# Protéger les fichiers sensibles
<FilesMatch "\.(php|ini|log|sql|json)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Autoriser uniquement cookies_api.php
<Files "cookies_api.php">
    Order Allow,Deny
    Allow from all
</Files>

<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>

# Empêcher l'accès aux répertoires
<IfModule mod_autoindex.c>
    IndexIgnore *
</IfModule>

# Bloquer les référents suspects
RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*spammer\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^https?://([^.]+\.)*hacker\.com [NC]
RewriteRule ^(.*)$ - [F,L]

# Bloquer les user-agents malveillants
RewriteCond %{HTTP_USER_AGENT} ^.*(curl|wget|python|nikto|wkito|libwww-perl|masscan|nmap).*$ [NC]
RewriteRule .* - [F,L]

# ===== EN-TÊTES DE SÉCURITÉ =====
<IfModule mod_headers.c>
    # Protections XSS
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # CSP (Content Security Policy)
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
    
    # HSTS (HTTPS Strict Transport Security)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # Feature Policy
    Header set Feature-Policy "camera 'none'; microphone 'none'; geolocation 'none'"
</IfModule>

# ===== CACHE =====
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType application/json "access plus 1 hour"
    ExpiresByType text/html "access plus 1 day"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresDefault "access plus 2 days"
</IfModule>

# ===== COMPRESSION =====
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
</IfModule>

# ===== LIMITES =====
<IfModule mod_php.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
    php_value max_execution_time 300
    php_value max_input_time 300
    php_value memory_limit 256M
</IfModule>

# ===== GESTION DES ERREURS =====
ErrorDocument 400 /error.php?code=400
ErrorDocument 401 /error.php?code=401
ErrorDocument 403 /error.php?code=403
ErrorDocument 404 /error.php?code=404
ErrorDocument 500 /error.php?code=500

# ===== BLOQUAGE IP =====
# Pour bloquer des IP spécifiques, décommentez et modifiez :
# Order Allow,Deny
# Allow from all
# Deny from 192.168.1.100
# Deny from 10.0.0.0/8

# ===== PROTECTION CONTRE DOS =====
# Limiter le nombre de requêtes par IP
<IfModule mod_ratelimit.c>
    <Location "/api/cookies/upload">
        SetOutputFilter RATE_LIMIT
        SetEnv rate-limit 10
    </Location>
</IfModule>

# ===== RÉÉCRITURE AVANCÉE =====
# Empêcher l'accès direct aux fichiers PHP sauf cookies_api.php
RewriteCond %{REQUEST_FILENAME} \.php$
RewriteCond %{REQUEST_FILENAME} !/cookies_api\.php$
RewriteRule .* - [R=404,L]

# Rediriger les versions sans www vers avec www (ou inversement)
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

# ===== ENCODAGE =====
AddDefaultCharset UTF-8

# ===== CORS (Cross-Origin Resource Sharing) =====
<IfModule mod_headers.c>
    SetEnvIf Origin "http(s)?://(www\.)?(localhost:3000|votredomaine\.com)$" AccessControlAllowOrigin=$0
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type, x-api-key, x-group-id"
    Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
    Header add Access-Control-Allow-Credentials "true"
</IfModule>

# ===== MAINTENANCE MODE =====
# Pour activer le mode maintenance, décommentez :
# RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000
# RewriteCond %{REQUEST_URI} !/maintenance\.html$ [NC]
# RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif|css|js) [NC]
# RewriteRule .* /maintenance.html [R=503,L]
# ErrorDocument 503 /maintenance.html