Options -Indexes
Options -MultiViews

# ── Security headers ──
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ── Block direct access to sensitive files ──
<FilesMatch "^(config\.php|database\.sql|\.env)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Allow uploads folder but block PHP execution inside it ──
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block PHP execution in uploads folder
    RewriteRule ^uploads/.*\.php$ - [F,L]

    # Route all API requests through index if needed
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^api/([^/]+)/?$ api/$1.php [L,QSA]
</IfModule>

# ── Cache static assets ──
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png  "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
</IfModule>
