# IPTV Secure Gateway — Apache 2.4+
# Default: allow public PHP endpoints; deny includes, data, and config.

Options -Indexes

<IfModule mod_rewrite.c>
  RewriteEngine On
  # Optional: redirect HTTP to HTTPS in production (uncomment).
  # RewriteCond %{HTTPS} !=on
  # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  RewriteRule ^includes/ - [F,L]
  RewriteRule ^data/ - [F,L]
  RewriteRule ^config\.php$ - [F,L]

  # Pretty HLS playlist: /watch/channel.m3u8?md5=...&expires=... → watch.php
  RewriteRule ^watch/([a-zA-Z0-9_-]{1,64})\.m3u8$ watch.php?ch=$1 [L,QSA]
</IfModule>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
