# Prevent directory listing
Options -Indexes

# Deny access to sensitive directories and files
<FilesMatch "\.(env|log|md|sql|bak|backup|old|ini|conf)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Protect includes directory
<IfModule mod_rewrite.c>
RewriteEngine On

# Block direct access to includes directory
RewriteRule ^includes/ - [F,L]

# Block direct access to config directory
RewriteRule ^config/ - [F,L]

# Block direct access to storage directory
RewriteRule ^storage/ - [F,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Enable XSS protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Disable server signature
ServerSignature Off
