Options -Indexes
Options -MultiViews
# ── Security headers ──
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# ── Block direct access to sensitive files ──
Order allow,deny
Deny from all
# ── Allow uploads folder but block PHP execution inside it ──
RewriteEngine On
# Block PHP execution in uploads folder
RewriteRule ^uploads/.*\.php$ - [F,L]
# Route all API requests through index if needed
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/([^/]+)/?$ api/$1.php [L,QSA]
# ── Cache static assets ──
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"