# MARKE MACHT — Apache-Konfiguration (markemacht.de)
# Kanonische Domain: https://markemacht.de (ohne www)

# ── Rewrite-Engine ────────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  # HTTPS erzwingen und www → non-www (301 Permanent)
  RewriteCond %{HTTPS} off [OR]
  RewriteCond %{HTTP_HOST} ^www\.markemacht\.de$ [NC]
  RewriteRule ^ https://markemacht.de%{REQUEST_URI} [R=301,L]

  # Alte Denken-Artikel → Übersicht
  RewriteRule ^denken-agilitaet\.html$ /denken.html [R=301,L]
  RewriteRule ^denken-fuehrung-durch-reduktion\.html$ /denken.html [R=301,L]
  RewriteRule ^denken-architektursanierung\.html$ /denken.html [R=301,L]

  # Build-Skript und interne Dateien nicht öffentlich
  RewriteRule ^scripts/ - [F,L]
  RewriteRule ^assets/components/ - [F,L]
  RewriteRule ^assets/version\.txt$ - [F,L]
</IfModule>

# ── Fehlerseiten ──────────────────────────────────────────────────────────────
ErrorDocument 404 /404.html

# ── Verzeichnislisting deaktivieren ───────────────────────────────────────────
Options -Indexes -MultiViews

# ── Standard-Dokument ─────────────────────────────────────────────────────────
DirectoryIndex index.html

# ── Zeichensatz ───────────────────────────────────────────────────────────────
AddDefaultCharset UTF-8

# ── MIME-Typen ────────────────────────────────────────────────────────────────
<IfModule mod_mime.c>
  AddType image/webp .webp
  AddType image/svg+xml .svg
  AddType font/woff2 .woff2
  AddType font/woff .woff
</IfModule>

# ── Kompression ───────────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml
  AddOutputFilterByType DEFLATE application/javascript application/json application/xml
  AddOutputFilterByType DEFLATE image/svg+xml font/woff2 font/woff
</IfModule>

<IfModule mod_brotli.c>
  AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/css text/xml
  AddOutputFilterByType BROTLI_COMPRESS application/javascript application/json application/xml
  AddOutputFilterByType BROTLI_COMPRESS image/svg+xml font/woff2 font/woff
</IfModule>

# ── Cache-Steuerung ───────────────────────────────────────────────────────────
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 0 seconds"

  # HTML-Seiten: immer frisch validieren
  ExpiresByType text/html "access plus 0 seconds"

  # Statische Assets: 7 Tage (Cache-Busting via ?v= in CSS/JS)
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType image/svg+xml "access plus 7 days"
  ExpiresByType image/webp "access plus 7 days"
  ExpiresByType image/jpeg "access plus 7 days"
  ExpiresByType image/png "access plus 7 days"
  ExpiresByType font/woff2 "access plus 7 days"
  ExpiresByType font/woff "access plus 7 days"
</IfModule>

<IfModule mod_headers.c>
  # Statische Assets unter /assets/
  SetEnvIf Request_URI "^/assets/" ASSET_PATH=1
  Header set Cache-Control "public, max-age=604800, immutable" env=ASSET_PATH

  # HTML: Revalidierung erlauben
  <FilesMatch "\.(html)$">
    Header set Cache-Control "no-cache, must-revalidate"
  </FilesMatch>

  # Sicherheits-Header
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://sys.adametz.media; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://sys.adametz.media; frame-ancestors 'self'; base-uri 'self'; form-action 'self' mailto:"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</IfModule>

# ── Zugriffsschutz (interne / sensible Dateien) ──────────────────────────────
<FilesMatch "(^\.|\.md$|composer\.(json|lock)$)">
  Require all denied
</FilesMatch>

<FilesMatch "(^|/)version\.txt$">
  Require all denied
</FilesMatch>

<IfModule mod_rewrite.c>
  RewriteRule ^vendor/ - [F,L]
  RewriteRule ^docker/ - [F,L]
</IfModule>
