# Ocultar headers de servidor
<IfModule mod_headers.c>
    Header unset X-Powered-By
    Header always unset X-Powered-By
    Header unset Server
</IfModule>

# Bloquear acceso a archivos sensibles
<FilesMatch "\.(env|log|git|gitignore|htpasswd|DS_Store)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ============================================================
# Compresion (Brotli si esta, Gzip como fallback)
# ============================================================
<IfModule mod_brotli.c>
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml image/svg+xml font/ttf font/otf application/vnd.ms-fontobject
</IfModule>
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml image/svg+xml font/ttf font/otf application/vnd.ms-fontobject
</IfModule>

# ============================================================
# Cache-Control para estaticos
# ============================================================
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault                                      "access plus 1 month"

    # HTML y JSON: no cachear (siempre frescos)
    ExpiresByType text/html                             "access plus 0 seconds"
    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/manifest+json             "access plus 1 day"

    # CSS y JS: 1 anio (con cache-busting via ?v= o hash de Vite)
    ExpiresByType text/css                              "access plus 1 year"
    ExpiresByType application/javascript                "access plus 1 year"
    ExpiresByType text/javascript                       "access plus 1 year"

    # Imagenes: 1 anio
    ExpiresByType image/png                             "access plus 1 year"
    ExpiresByType image/jpeg                            "access plus 1 year"
    ExpiresByType image/webp                            "access plus 1 year"
    ExpiresByType image/avif                            "access plus 1 year"
    ExpiresByType image/svg+xml                         "access plus 1 year"
    ExpiresByType image/x-icon                          "access plus 1 year"
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 year"

    # Fuentes: 1 anio
    ExpiresByType font/woff                             "access plus 1 year"
    ExpiresByType font/woff2                            "access plus 1 year"
    ExpiresByType application/font-woff                 "access plus 1 year"
    ExpiresByType application/font-woff2                "access plus 1 year"
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 year"
</IfModule>

<IfModule mod_headers.c>
    # Cache largo + immutable para estaticos con hash o version
    <FilesMatch "\.(css|js|woff2?|ttf|eot|otf|svg|png|jpe?g|webp|avif|ico)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>

    # HTML siempre fresco
    <FilesMatch "\.(html|htm)$">
        Header set Cache-Control "no-cache, must-revalidate"
    </FilesMatch>

    # Vary: Accept-Encoding (correcto para CDN/proxies)
    <FilesMatch "\.(css|js|html|svg|json)$">
        Header append Vary Accept-Encoding
    </FilesMatch>
</IfModule>

# ============================================================
# Routing Laravel + seguridad
# ============================================================
<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Forzar HTTPS
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Bloquear acceso directo a /storage/app
    RewriteRule ^storage/app/(.*)$ - [F,L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Handle X-XSRF-Token Header
    RewriteCond %{HTTP:x-xsrf-token} .
    RewriteRule .* - [E=HTTP_X_XSRF_TOKEN:%{HTTP:X-XSRF-Token}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>
