Options -Indexes
ServerSignature Off

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-zA-Z0-9/_-]+)/?$ index.php?route=$1 [QSA,L]
</IfModule>

<FilesMatch "^(\.env|composer\.(json|lock)|README\.md|AGENTS\.md)$">
Require all denied
</FilesMatch>
<FilesMatch "\.(sql|log|bak|ini|sh)$">
Require all denied
</FilesMatch>

<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header set Content-Security-Policy "default-src 'self' https://cdn.jsdelivr.net https://code.jquery.com; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://code.jquery.com; font-src 'self' https://cdn.jsdelivr.net data:"
</IfModule>
