# ============================================================
# xLoyalty – Clover Connector · .htaccess
# Place in your web root (public_html/clover/ or similar)
# ============================================================

# ─── PHP version (if not set via cPanel MultiPHP) ────────────────────────────
# Uncomment if needed:
# AddHandler application/x-httpd-ea-php81 .php

# ─── Environment Variables ────────────────────────────────────────────────────
# SET THESE — replace placeholder values with your real ones.
# IMPORTANT: Restrict access to this file (see deny rule below).

SetEnv CLOVER_ENV          production
SetEnv CLOVER_CLIENT_ID    W74FFCB1KMRVY
SetEnv CLOVER_CLIENT_SECRET REPLACE_WITH_YOUR_SECRET
SetEnv DB_HOST             localhost
SetEnv DB_NAME             xloyalty_clover
SetEnv DB_USER             xloyalty_clover
SetEnv DB_PASS             REPLACE_WITH_DB_PASSWORD
SetEnv SITE_URL            https://server.xloyalty.io
SetEnv CRON_SECRET         REPLACE_WITH_LONG_RANDOM_TOKEN
SetEnv TOKEN_ENC_KEY       REPLACE_WITH_32BYTE_HEX
SetEnv TOKEN_ENC_IV        REPLACE_WITH_16BYTE_HEX

# ─── Protect this file ────────────────────────────────────────────────────────
<Files ".htaccess">
    Require all denied
</Files>

# ─── Block direct access to sensitive scripts ─────────────────────────────────
<FilesMatch "^(sync_|push_|cron_)">
    # Allow only CLI (no HTTP_HOST) or requests with cron secret
    # For full protection, use require_cron_secret() in PHP + IP whitelist here
    Require all denied
</FilesMatch>

# ─── Block direct access to class/config files ───────────────────────────────
<FilesMatch "\.(sql|sh|md|example)$">
    Require all denied
</FilesMatch>
<FilesMatch "^(config|db|CloverClient|XLoyaltyClient)\.php$">
    Require all denied
</FilesMatch>

# ─── Security headers ─────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Frame-Options          "DENY"
    Header always set X-Content-Type-Options   "nosniff"
    Header always set X-XSS-Protection         "1; mode=block"
    Header always set Referrer-Policy          "strict-origin-when-cross-origin"
    Header always set Permissions-Policy       "geolocation=(), microphone=(), camera=()"
    # Uncomment when fully on HTTPS:
    # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

# ─── PHP settings ────────────────────────────────────────────────────────────
<IfModule mod_php.c>
    php_flag  display_errors       Off
    php_flag  log_errors           On
    php_value error_log            /home/YOURUSERNAME/logs/clover_php_errors.log
    php_value max_execution_time   30
    php_value memory_limit         128M
    php_value upload_max_filesize  2M
    php_value post_max_size        4M
</IfModule>

# ─── Deny hidden files ────────────────────────────────────────────────────────
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# ─── Disable directory listing ────────────────────────────────────────────────
Options -Indexes

# ─── Force HTTPS (uncomment when SSL is active) ───────────────────────────────
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
