# ============================================
# SECURITY: Protect Sensitive Files
# ============================================

# Deny access to .env files
<FilesMatch "^\.env">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect sensitive configuration and system files
<FilesMatch "^(\.env.*|\.git.*|\.htaccess|\.htpasswd|composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|phpunit\.xml|webpack\.config\.js|artisan|server\.php|README\.md|LICENSE|CHANGELOG\.md)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Deny access to specific directories
RedirectMatch 403 ^/\.env$
RedirectMatch 403 ^/\.git
RedirectMatch 403 ^/storage/
RedirectMatch 403 ^/bootstrap/cache/
RedirectMatch 403 ^/vendor/
RedirectMatch 403 ^/node_modules/
RedirectMatch 403 ^/\.

# Protect PHP configuration files
<FilesMatch "\.ini$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

# Prevent access to backup and temporary files
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ============================================
# MAIN APPLICATION ROUTING
# ============================================

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
RewriteCond %{REQUEST_URI} !^public
RewriteRule ^(.*)$ public/$1 [L]

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
