RewriteEngine On

# Block direct access to config/includes/database folders
<IfModule mod_rewrite.c>
  RewriteRule ^(config|includes|database)/ - [F,L]
</IfModule>

# Deny listing of uploads directory, but allow the files themselves to be served
Options -Indexes

# Security headers
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Never execute PHP inside the uploads directory (prevents webshell uploads)
<IfModule mod_php.c>
  <Directory "uploads">
    php_flag engine off
  </Directory>
</IfModule>
<FilesMatch "\.(php|phtml|php\d)$">
  <If "%{REQUEST_URI} =~ m#^/uploads/#">
    Require all denied
  </If>
</FilesMatch>

# Friendly 404
ErrorDocument 404 /index.php
