<IfModule mod_rewrite.c>
    RewriteEngine On

    # Blokir akses langsung ke file sensitif
    <FilesMatch "^(config\.php|\.env|\.htaccess|\.htpasswd|composer\.json|composer\.lock|update_leaderboard\.log)$">
        Require all denied
    </FilesMatch>

    # Nonaktifkan directory listing
    Options -Indexes

    # Environment untuk cron (secret harus sama dengan yang diset di server environment)
    <IfModule mod_env.c>
        SetEnv CRON_SECRET "8f7a3e2c9d1b4a5f6e7d8c9b0a1f2e3d4c5b6a7f8e9d0c1b2a3f4e5d6c7b8a9g"
    </IfModule>

    # Blokir akses langsung ke folder yang tidak perlu
    RedirectMatch 403 ^/vendor/.*$
    RedirectMatch 403 ^/logs/.*$

    # Izinkan akses langsung ke watch.php
    RewriteRule ^watch\.php$ - [L]

    # SEO friendly URL untuk watch (opsional)
    RewriteRule ^watch/([0-9]+)$ watch.php?match_id=$1 [L,QSA]

    # SEO friendly URL lainnya
    RewriteRule ^klasemen$ /index.php?view=standings [L,QSA]
    RewriteRule ^jadwal$ /index.php?view=schedule [L,QSA]
    RewriteRule ^knockout$ /index.php?view=knockout [L,QSA]
    RewriteRule ^teams$ /index.php?view=teams [L,QSA]
    RewriteRule ^leaderboard$ /index.php?view=leaderboard [L,QSA]
    RewriteRule ^profil$ /index.php?view=profile [L,QSA]
    RewriteRule ^admin$ /index.php?view=admin [L,QSA]

    # Front controller: jika file/folder tidak ditemukan, arahkan ke index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]
</IfModule>

# Header keamanan (tambahkan jika mod_headers aktif)
<IfModule mod_headers.c>
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Content-Security-Policy dengan dukungan penuh untuk YouTube dan CDN Chart.js
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.tailwindcss.com https://fonts.googleapis.com https://cdn.livechatinc.com https://api.livechatinc.com https://www.youtube.com https://s.ytimg.com https://cdn.jsdelivr.net 'unsafe-inline'; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://i.postimg.cc https://dkzd8du6wd13r.cloudfront.net https://flagcdn.com https://img.youtube.com https://i.ytimg.com; connect-src 'self' https://cdn.livechatinc.com https://api.livechatinc.com https://*.livechatinc.com wss://*.livechatinc.com; frame-src https://secure.livechatinc.com https://www.youtube.com https://www.youtube-nocookie.com https://m.youtube.com; child-src https://secure.livechatinc.com https://www.youtube.com https://www.youtube-nocookie.com https://m.youtube.com;"
</IfModule>

# Mencegah akses ke file .php di folder tertentu (jika ada)
<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_URI} ^/(vendor|logs|temp)/.*\.php$ [NC]
    RewriteRule .* - [F,L]
</IfModule>

# Cache static assets (opsional)
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
</IfModule>