# CyberChat .htaccess — Apache configuration

# Deny direct access to databases and the credential-bearing config file
<FilesMatch "(^config\.json$|\.sqlite($|-wal$|-shm$))">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# Always revalidate HTML so new asset versions take effect immediately.
<IfModule mod_headers.c>
    <FilesMatch "\.(html?)$">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
        Header set Pragma "no-cache"
        Header set Expires "0"
    </FilesMatch>
</IfModule>

# Voice playback MIME types, including Safari/iPhone-compatible AAC in MP4.
<IfModule mod_mime.c>
    AddType audio/webm .webm
    AddType audio/wav .wav
    AddType audio/aac .aac
    AddType audio/mp4 .m4a
    AddType video/mp4 .mp4
</IfModule>

# Deny direct access to storage and internal PHP libraries
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^db/ - [F,L]
    RewriteRule ^archive/ - [F,L]
    RewriteRule ^lib/ - [F,L]
</IfModule>

# PHP settings (if allowed by host)
<IfModule mod_php.c>
    php_value session.cookie_httponly 1
    php_value session.cookie_samesite Strict
    php_value session.use_strict_mode 1
</IfModule>
