RewriteEngine On
RewriteBase /

# Force HTTPS (uncomment in production)
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

# Block access to sensitive files
<FilesMatch "\.(env|log|ini|conf|sql|md|json|lock|yml|yaml)$">
    Require all denied
</FilesMatch>

# Block access to hidden files
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Pass API requests directly to API files
RewriteCond %{REQUEST_URI} ^/api/ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^api/(.+)$ api/$1.php [L,QSA]

# If not a real file or directory, route through index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/assets/ [NC]
RewriteRule ^(.*)$ index.php?route=$1 [L,QSA]

# Disable directory listing
Options -Indexes

# PHP settings
<IfModule mod_php.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_execution_time 60
    php_value session.cookie_httponly 1
    php_value session.cookie_samesite "Strict"
    php_value session.use_strict_mode 1
</IfModule>