# Disable directory browsing
Options -Indexes

# Block TRACE method
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

# Deny access to hidden files
RedirectMatch 403 /\..*$

# Protect .git
RedirectMatch 404 /\.git

# Block common sensitive file types
<FilesMatch "\.(env|ini|log|sql|bak|swp|inc|sh|conf|config|phpinfo\.php)$">
  Order allow,deny
  Deny from all
</FilesMatch>

# Security Headers
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=()"
  Header always set Content-Security-Policy "default-src 'self';"
</IfModule>

# Disable Apache signature
ServerSignature Off

# Clean URLs
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ index.php/$1 [L]
</IfModule>

<IfModule !mod_rewrite.c>
  ErrorDocument 404 index.php
</IfModule>
