# BookGram HTML Embeds - Apache Configuration
# Allows access to HTML files while blocking other file types

# Allow direct access to HTML files
<Files "*.html">
    Order allow,deny
    Allow from all
</Files>

<Files "*.htm">
    Order allow,deny
    Allow from all
</Files>

# Allow access to common web assets (CSS, JS, images)
<FilesMatch "\.(css|js|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot)$">
    Order allow,deny
    Allow from all
</FilesMatch>

# Deny access to all other file types (PHP, config files, etc.)
<FilesMatch "\.(?!html?|css|js|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot)[^.]+$">
    Order deny,allow
    Deny from all
</FilesMatch>

# Prevent directory listing
Options -Indexes

# Set proper MIME types
AddType text/html .html .htm
AddType text/css .css
AddType application/javascript .js
AddType image/png .png
AddType image/jpeg .jpg .jpeg
AddType image/gif .gif
AddType image/svg+xml .svg

# Security headers for embeds
<IfModule mod_headers.c>
    # Allow framing from same origin only
    Header set X-Frame-Options "SAMEORIGIN"

    # Content Security Policy for embeds
    Header set Content-Security-Policy "frame-ancestors 'self'"

    # Prevent MIME type sniffing
    Header set X-Content-Type-Options "nosniff"
</IfModule>
