# TakeScanner server config for Apache (cPanel-compatible)

RewriteEngine On

# Clean URLs: /privacy → /privacy.html, /terms → /terms.html
# So paywall links (https://notez.us/docscanner/privacy) work without .html
RewriteRule ^privacy/?$ privacy.html [L]
RewriteRule ^terms/?$ terms.html [L]

# CORS + no-cache for config.json (app fetches this every launch)
<Files "config.json">
    Header set Access-Control-Allow-Origin "*"
    Header set Cache-Control "no-cache, no-store, must-revalidate"
</Files>

# Long-lived cache for static assets (paywall legal pages, splash image).
# These change only on server deploy; browsers + App Store WebView can reuse them.
<FilesMatch "\.(png|jpg|jpeg|gif|svg|webp|ico)$">
    <IfModule mod_headers.c>
        Header set Cache-Control "public, max-age=2592000"
    </IfModule>
</FilesMatch>

<FilesMatch "\.html$">
    <IfModule mod_headers.c>
        Header set Cache-Control "public, max-age=3600"
    </IfModule>
</FilesMatch>

# Block direct access to sensitive files
<FilesMatch "\.(htaccess|log|md)$">
    Require all denied
</FilesMatch>

# Block ai-config.php from web (it contains API keys). Only accessible via PHP require().
<Files "ai-config.php">
    Require all denied
</Files>

# Block ai-usage.log from web
<Files "ai-usage.log">
    Require all denied
</Files>

# Force HTTPS (uncomment after SSL is confirmed working)
# RewriteCond %{HTTPS} !=on
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

