# ============================================
# RandomChat - Apache / LiteSpeed .htaccess
# Fixed: Camera permissions for Jitsi iframe
# ============================================

Options -Indexes
ServerSignature Off

# ── Camera & Mic Permissions (CRITICAL for Jitsi) ──
<IfModule mod_headers.c>
    # Allow camera & microphone for Jitsi iframe from meet.jit.si
    Header always set Permissions-Policy "camera=(self 'https://meet.jit.si'), microphone=(self 'https://meet.jit.si'), display-capture=(self 'https://meet.jit.si')"

    # Allow Jitsi to be embedded in iframe from our domain
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # REMOVE X-Frame-Options — gantikan dengan CSP supaya Jitsi boleh load
    # Header always set X-Frame-Options "SAMEORIGIN"  <-- ini block Jitsi!

    # Content Security Policy — allow Jitsi frames & scripts
    Header always set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://meet.jit.si https://8x8.vc https://cdn.tailwindcss.com https://fonts.googleapis.com; frame-src 'self' https://meet.jit.si https://8x8.vc; connect-src 'self' https://meet.jit.si wss://meet.jit.si https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; media-src 'self' blob: https:;"
</IfModule>

# ── Protect sensitive files ───────────────
<FilesMatch "(config\.php|database\.sql|ai_mod\.py|diag\.php|composer\.json)$">
    Order deny,allow
    Deny from all
</FilesMatch>

# ── Protect includes directory ────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^includes/ - [F,L]
</IfModule>

# ── PHP settings ──────────────────────────
<IfModule mod_php.c>
    php_flag display_errors Off
    php_value upload_max_filesize 2M
    php_value post_max_size 4M
    php_value max_execution_time 30
    php_value session.cookie_httponly On
    php_value session.cookie_samesite Lax
</IfModule>

# ── Caching ───────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
</IfModule>

# ── GZIP ──────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json
</IfModule>
