# Enable URL rewriting
RewriteEngine On

# ----------------------------------------------------------------------
# Hide .php extension (access file.php via /file)
# ----------------------------------------------------------------------
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.+?)/?$ $1.php [L]

# Optional: Redirect .php URLs to extensionless (for SEO)
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s/([^\s]+)\.php [NC]
RewriteRule ^(.*)\.php$ /support/$1 [R=301,L]


# ----------------------------------------------------------------------
# Disable directory browsing
# ----------------------------------------------------------------------
Options -Indexes

# ----------------------------------------------------------------------
# Prevent access to sensitive files
# ----------------------------------------------------------------------
<FilesMatch "\.(htaccess|htpasswd|env|git|log|sql|sh|bash|ini|bak|old|swp|tmp)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ----------------------------------------------------------------------
# Block access to config files
# ----------------------------------------------------------------------
<FilesMatch "^(config|db|database)\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ----------------------------------------------------------------------
# Security headers
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

# ----------------------------------------------------------------------
# Disable server signature
# ----------------------------------------------------------------------
ServerSignature Off

# ----------------------------------------------------------------------
# Restrict HTTP methods
# ----------------------------------------------------------------------
<LimitExcept GET POST>
    Deny from all
</LimitExcept>

# ----------------------------------------------------------------------
# Prevent image hotlinking (optional)
# ----------------------------------------------------------------------
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
# RewriteRule \.(jpg|jpeg|png|gif)$ - [F,NC,L]

# ----------------------------------------------------------------------
# Default index file
# ----------------------------------------------------------------------
DirectoryIndex index.php index.html

