Options -Indexes # Protect sensitive files Order deny,allow Deny from all # Protect config and core directories RewriteEngine On # CRITICAL: Set base to match install subdirectory on id-tools.ishir.net RewriteBase /ishircal/calv1/ # Block direct access to backend dirs RewriteRule ^(core|services|models|config|migrations|tests|logs|uploads|compat)/(.*)$ - [F,L] # Route all API requests through api/index.php RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^api/v1/(.*)$ api/index.php [QSA,L] # Root → public SPA RewriteRule ^$ public/index.html [L] Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always append X-XSS-Protection "1; mode=block" AddDefaultCharset UTF-8