Options -Indexes
ServerSignature Off

# =============================================
# CyberLab — .htaccess
# =============================================

# Activar URL rewriting
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Redirecionar para HTTPS (descomenta em produção)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Labs por slug: /labs/sqli-basico → /labs/lab.php?slug=sqli-basico
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^labs/([a-z0-9\-]+)\.php$ /labs/lab.php?slug=$1 [L,QSA]
</IfModule>

# Bloquear acesso a ficheiros sensíveis
<FilesMatch "\.(sql|log|env|bak|config|ini|sh)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Bloquear acesso directo a includes/
<IfModule mod_rewrite.c>
    RewriteRule ^includes/ - [F,L]
    RewriteRule ^install/ - [F,L]
</IfModule>

# Headers de segurança
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), camera=(), microphone=()"
    # Descomenta após configurar HTTPS:
    # Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

# Desactivar listagem de directórios
Options -Indexes -Includes

# Desactivar execução de PHP em uploads (se tiveres pasta uploads)
<IfModule mod_php.c>
    php_flag engine off
</IfModule>
