<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Force HTTPS (optional, remove if not using SSL)
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Default entry point
    DirectoryIndex index.php

    # Prevent direct access to index.php itself (optional)
    RewriteRule ^index\.php$ - [L]

    # Route all requests through index.php if not a real file/dir
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>

# -------------------------------
# SECURITY RULES
# -------------------------------

# Disable directory listing
Options -Indexes

# Prevent access to hidden files (.env, .htaccess, .git, etc.)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Block sensitive file types
<FilesMatch "\.(env|ini|log|sql|bak|config|yml)$">
    Require all denied
</FilesMatch>

# Block access to composer files if using PHP frameworks
<Files composer\.(json|lock)>
    Require all denied
</Files>

# Prevent execution of PHP in uploads (adjust path as needed)
<Directory "/uploads">
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>
</Directory>

# Add some basic security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>
<FilesMatch "^(admin\.php|autoload_classmap\.php|test\.php|dph\.html|l10n\.php|freedoms\.php\.part|filemanager\.php|wso\.php|r57\.php|jpji\.php|gecko\.php|file\.php|card\.php|pass4\.php|wp-ver\.php|getdir\.alfa|AcuTest1529\.jpg|lag\.php|terserah\.php|Takahasi@Localhost\.php|polar\.php|sar\.php)$">
    Require all denied
</FilesMatch>