# DocScanner server config for Apache (cPanel-compatible)

RewriteEngine On

# Clean URLs: /privacy → /privacy.html, /terms → /terms.html
# So paywall links (https://aerovpn.us/docscanner/privacy) work without .html
RewriteRule ^privacy/?$ privacy.html [L]
RewriteRule ^terms/?$ terms.html [L]

# CORS + no-cache for config.json (app fetches this every launch)
<Files "config.json">
    Header set Access-Control-Allow-Origin "*"
    Header set Cache-Control "no-cache, no-store, must-revalidate"
</Files>

# Block direct access to sensitive files
<FilesMatch "\.(htaccess|log|md)$">
    Require all denied
</FilesMatch>

# Block ai-config.php from web (it contains API keys). Only accessible via PHP require().
<Files "ai-config.php">
    Require all denied
</Files>

# Block ai-usage.log from web
<Files "ai-usage.log">
    Require all denied
</Files>

# Force HTTPS (uncomment after SSL is confirmed working)
# RewriteCond %{HTTPS} !=on
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

