Options -Indexes

RewriteEngine On

# =========================================
# Protect Sensitive Files
# =========================================

<FilesMatch "^(\.env|composer\.json|composer\.lock|database\.sql|error_log)$">
    Require all denied
</FilesMatch>

# =========================================
# Block Direct Access To Includes
# =========================================

RewriteRule ^includes/ - [F,L]

# =========================================
# Security Headers
# =========================================

<IfModule mod_headers.c>

Header set X-Frame-Options "SAMEORIGIN"

Header set X-Content-Type-Options "nosniff"

Header set Referrer-Policy "strict-origin-when-cross-origin"

Header set X-XSS-Protection "1; mode=block"

</IfModule>

# =========================================
# Disable Directory Browsing
# =========================================

Options All -Indexes

# =========================================
# Prevent PHP Execution In Uploads
# =========================================

RewriteRule ^uploads/.*\.(php|phtml|php3|php4|php5|phar)$ - [F,L]

# =========================================
# Pretty URL Support (Optional Future)
# =========================================

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# =========================================
# File Upload Limits
# =========================================

php_value upload_max_filesize 20M
php_value post_max_size 25M
php_value max_execution_time 300
php_value max_input_time 300

# =========================================
# Default UTF-8
# =========================================

AddDefaultCharset UTF-8