# Directory: /.htaccess (root directory)

# Modify the save-responses.php file permission settings
<Files "save-responses.php">
    # Only block direct GET access but allow POST requests
    <LimitExcept POST>
        Order Allow,Deny
        Deny from all
    </LimitExcept>
</Files>

# Protect the admin-export.php file - should only be accessible to authenticated users
<Files "admin-export.php">
    # Comment this in production if using .htpasswd auth instead of PHP auth
    # AuthType Basic
    # AuthName "Admin Access Required"
    # AuthUserFile /path/to/.htpasswd
    # Require valid-user
</Files>

# Protect admin-config.php completely
<Files "admin-config.php">
    Order Allow,Deny
    Deny from all
</Files>

# Protect JSON files directly
<Files "*.json">
    Order Allow,Deny
    Deny from all
</Files>

# Security headers
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    # Uncomment the following line in production
    # Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:;"
</IfModule>

# PHP security settings
<IfModule mod_php7.c>
    php_flag display_errors off
    php_value post_max_size 8M
    php_value upload_max_filesize 2M
    php_flag session.use_only_cookies on
    php_flag session.use_strict_mode on
    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_flag session.cookie_samesite "Strict"
</IfModule>

# Prevent directory listing
Options -Indexes

# Allow access to the form submission script via POST
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Block storage directory access completely
    RewriteRule ^storage/ - [F,L]
    
    # Allow POST requests to save-responses.php
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} save-responses\.php$ 
    RewriteRule ^ - [L]
</IfModule>