Initial commit with security patches

.htaccess

@@ -0,0 +1,67 @@
+# XC IPTV API - Apache Configuration
+
+# CORS (Cross-Origin Resource Sharing)
+<IfModule mod_headers.c>
+    Header set Access-Control-Allow-Origin "*"
+    Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
+    Header set Access-Control-Allow-Headers "Content-Type, Authorization"
+</IfModule>
+
+# GZIP Compression
+<IfModule mod_deflate.c>
+    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
+</IfModule>
+
+# Cache Control
+<IfModule mod_expires.c>
+    ExpiresActive On
+    ExpiresByType application/json "access plus 5 minutes"
+</IfModule>
+
+# Security Headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "DENY"
+    Header set X-XSS-Protection "1; mode=block"
+</IfModule>
+
+# Disable Directory Listing
+Options -Indexes
+
+# Protect Config and Sensitive Files
+<FilesMatch "^(config\.php|rate_limit\.json|.*\.log|.*\.md)$">
+    Order Allow,Deny
+    Deny from all
+</FilesMatch>
+
+# Protect Tokens Directory
+<IfModule mod_rewrite.c>
+    RewriteRule ^tokens/ - [F,L]
+</IfModule>
+
+# Error Pages
+ErrorDocument 404 /404.html
+ErrorDocument 500 /500.html
+
+# Rewrite Rules (opsiyonel - SEF URLs için)
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteBase /
+    
+    # API endpoint'i temizle
+    # /api/v1 yerine /api
+    RewriteRule ^api/?$ api_secured.php [L]
+    
+    # Maintenance check
+    RewriteCond %{REQUEST_URI} !maintenance.html
+    RewriteCond %{DOCUMENT_ROOT}/maintenance.flag -f
+    RewriteRule .* /maintenance.html [R=503,L]
+</IfModule>
+
+# PHP Settings (eğer izin veriliyorsa)
+<IfModule mod_php.c>
+    php_value upload_max_filesize 10M
+    php_value post_max_size 10M
+    php_value memory_limit 128M
+    php_value max_execution_time 30
+</IfModule>