# Customer Portal Security

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /Bait-alamer/customer/
    
    # Clean URL: /customer shows customer.php (if logged in) or login.php (if not)
    # This makes the URL bar show just "customer" instead of "customer/customer.php"
    
    # Hide customer.php from URL
    RewriteCond %{THE_REQUEST} /customer\.php [NC]
    RewriteRule ^customer\.php$ /Bait-alamer/customer/ [L,R=301]
    
    # When accessing /customer/ directory
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_URI} !login\.php$
    RewriteCond %{REQUEST_URI} !logout\.php$
    RewriteCond %{REQUEST_URI} !save_prices\.php$
    RewriteRule ^$ customer.php [L]
</IfModule>

# Allow pricing_control.php (protected by Token in PHP code)
<Files "pricing_control.php">
    <IfVersion < 2.4>
        Order Allow,Deny
        Allow from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all granted
    </IfVersion>
</Files>

# Protect sensitive files (Apache 2.2 and 2.4 compatible)
<FilesMatch "^(users\.php|\.htaccess|price_updates\.log|prices\.json|pricing_functions\.php)$">
    <IfVersion < 2.4>
        Order Allow,Deny
        Deny from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all denied
    </IfVersion>
</FilesMatch>

<FilesMatch "^(\.pricing_status\.json)$">
    <IfVersion < 2.4>
        Order Allow,Deny
        Deny from all
    </IfVersion>
    <IfVersion >= 2.4>
        Require all denied
    </IfVersion>
</FilesMatch>

# Default to login if directly accessed
DirectoryIndex customer.php login.php

# Prevent directory listing
Options -Indexes

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>
