# Admin API Directory - Internal API Endpoints
# Secure AJAX endpoints for admin panel

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /adm/api/

    # Block direct .php access (except modules.php which is used by C++ app)
    RewriteCond %{THE_REQUEST} \.php [NC]
    RewriteCond %{REQUEST_URI} !modules [NC]
    RewriteRule .* - [F,L]

    # Allow GET requests for modules.php (C++ app), but require POST for other endpoints
    RewriteCond %{REQUEST_URI} !modules [NC]
    RewriteCond %{REQUEST_METHOD} !^POST$ [NC]
    RewriteRule .* - [F,L]

    # Require AJAX header for POST requests (but allow modules.php GET requests from C++ app)
    RewriteCond %{REQUEST_URI} !modules [NC]
    RewriteCond %{REQUEST_METHOD} ^POST$ [NC]
    RewriteCond %{HTTP_X_REQUESTED_WITH} !XMLHttpRequest [NC]
    RewriteRule .* - [F,L]

    # Remove .php extension
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}\.php -f
    RewriteRule ^([^\.]+)$ $1.php [NC,L,QSA]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # No caching for API
    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Header set Pragma "no-cache"
    Header set Expires "0"

    # Security
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"

    # JSON content type
    Header set Content-Type "application/json; charset=utf-8"

    # No indexing
    Header set X-Robots-Tag "noindex, nofollow"

    # CSRF token requirement (check in PHP)
    Header set X-CSRF-Protected "1"
</IfModule>

# PHP Security
<IfModule mod_php7.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value max_execution_time 30
    php_value post_max_size 2M
    php_value upload_max_filesize 0
</IfModule>

# Rate Limiting
<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 20
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 60
</IfModule>

# No directory listing
Options -Indexes

# Block SQL injection in query strings
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (union.*select|insert.*into|drop.*table|update.*set|delete.*from) [NC]
    RewriteRule .* - [F,L]

    RewriteCond %{QUERY_STRING} (<script|<iframe|javascript:|eval\() [NC]
    RewriteRule .* - [F,L]
</IfModule>

# Block hidden files
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>
