Options -Indexes

# Protect sensitive files
<FilesMatch "\.(sql|log|json|md|sh|env)$">
  Order deny,allow
  Deny from all
</FilesMatch>

# Protect config and core directories
<IfModule mod_rewrite.c>
  RewriteEngine On

  # Block direct access to backend dirs
  RewriteRule ^(core|services|models|config|migrations|tests|logs|uploads)/(.*)$ - [F,L]

  # Route all API requests through api/index.php
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^api/v1/(.*)$ api/index.php [QSA,L]

  # Root → public SPA
  RewriteRule ^$ public/index.html [L]
</IfModule>

# Security headers (complement to PHP-set headers)
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always append X-XSS-Protection "1; mode=block"
</IfModule>

# Charset
AddDefaultCharset UTF-8

# PHP settings (shared hosting)
<IfModule mod_php7.c>
  php_flag display_errors Off
  php_flag log_errors On
  php_value upload_max_filesize 20M
  php_value post_max_size 25M
  php_value max_execution_time 120
  php_value memory_limit 256M
</IfModule>
