Options -Indexes
Options -MultiViews

# Security headers
Header always set X-Frame-Options "DENY"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "same-origin"

# Block direct access to sensitive directories
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Allow install directory
    RewriteRule ^install/.*$ - [L]

    # Allow assets and uploads
    RewriteRule ^assets/.*$ - [L]
    RewriteRule ^uploads/.*$ - [L]

    # Route everything else to index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?$1 [L,QSA]
</IfModule>

# Protect config and core files
<FilesMatch "\.(php)$">
    <IfModule mod_authz_core.c>
        # Apache 2.4
    </IfModule>
</FilesMatch>

# Block access to hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# PHP settings
<IfModule mod_php.c>
    php_value upload_max_filesize 20M
    php_value post_max_size 22M
    php_value max_execution_time 60
    php_value memory_limit 128M
</IfModule>
