Options -Indexes
Options +FollowSymLinks

# ============================================================
# XC Panel - Apache/cPanel .htaccess
# Requires mod_rewrite (enabled by default on cPanel hosts)
# ============================================================

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Protect sensitive directories
    RewriteRule ^db/         - [F,L]
    RewriteRule ^includes/   - [F,L]

    # Allow direct access to uploads
    RewriteRule ^uploads/(.*)$ uploads/$1 [L]

    # Allow direct access to assets
    RewriteRule ^assets/(.*)$ assets/$1 [L]



    # If the app uses the panel root as Xtream portal, proxy these real stream/API calls to Portal 1
    RewriteRule ^player_api\.php$ xc_proxy.php?__path=1/player_api.php [QSA,L]
    RewriteRule ^xmltv\.php$ xc_proxy.php?__path=1/xmltv.php [QSA,L]
    RewriteRule ^(live|movie|series)/(.*)$ xc_proxy.php?__path=1/$1/$2 [QSA,L]

    # Route XC proxy portal to tracker/proxy
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^xc_proxy/(.*)$ xc_proxy.php?__path=$1 [QSA,L]

    # Route /api/* to api/index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^api/(.*)$ api/index.php [QSA,L]

    # Root catches — serve index.php for the SPA
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^$ index.php [QSA,L]
    RewriteRule ^([^.]+)$ index.php [QSA,L]
</IfModule>

# PHP settings (cPanel allows these in .htaccess)
<IfModule mod_php7.c>
    php_value upload_max_filesize 110M
    php_value post_max_size 115M
    php_value memory_limit 128M
    php_value max_execution_time 60
    php_value session.gc_maxlifetime 86400
</IfModule>
<IfModule mod_php.c>
    php_value upload_max_filesize 110M
    php_value post_max_size 115M
    php_value memory_limit 128M
    php_value max_execution_time 60
    php_value session.gc_maxlifetime 86400
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# Deny access to sensitive files
<FilesMatch "\.(db|sqlite|sqlite3|json|env|log)$">
    Order allow,deny
    Deny from all
</FilesMatch>
