# ================================================================
# Urenmaat Sync API — Apache configuratie
# ================================================================

Options -Indexes

# ── HTTPS forceren ───────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# ── Security headers ─────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always unset X-Powered-By
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set Referrer-Policy "no-referrer"
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-License-Key, X-Worker-Token"
    Header always set Access-Control-Max-Age "86400"
</IfModule>

# ── OPTIONS preflight ────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^ - [R=204,L]
</IfModule>

# ── Blokkeer directe toegang tot /data/ ─────────────────────────
<IfModule mod_rewrite.c>
    RewriteRule ^data/ - [F,L]
</IfModule>

# ── Blokkeer directe toegang tot config.php ─────────────────────
<Files "config.php">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</Files>

# ── Geen toegang tot .json bestanden direct ──────────────────────
<FilesMatch "\.json$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>
