# Admin Directory .htaccess
# Handles clean URLs and security for admin area

# Enable URL rewriting
RewriteEngine On

# Prevent directory listing
Options -Indexes

# Redirect /admin to /admin/login (if not already logged in)
# This will be handled by index.php if it exists, otherwise redirect to login
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} ^/admin/?$
RewriteRule ^$ login.php [L,R=302]

# Clean URLs - remove .php extension
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^([^\.]+)$ $1.php [L]

# Security: Block access to sensitive files
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak|sql|md)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Security: Prevent access to utility scripts after use
<FilesMatch "^(reset-admin-password|generate-password-hash)\.php$">
    # Uncomment the line below to block access after setup
    # Order Allow,Deny
    # Deny from all
</FilesMatch>

# Security headers for admin area
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options SAMEORIGIN
    
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options nosniff
    
    # Enable XSS protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Set default charset
AddDefaultCharset UTF-8

