Options -Indexes Options -MultiViews # ── Security headers ── Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" # ── Block direct access to sensitive files ── Order allow,deny Deny from all # ── Allow uploads folder but block PHP execution inside it ── RewriteEngine On # Block PHP execution in uploads folder RewriteRule ^uploads/.*\.php$ - [F,L] # Route all API requests through index if needed RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^api/([^/]+)/?$ api/$1.php [L,QSA] # ── Cache static assets ── ExpiresActive On ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/webp "access plus 1 month"