<IfModule mod_rewrite.c>
    RewriteEngine On

    # Redirect all requests to public folder
    RewriteCond %{REQUEST_URI} !^/public/
    RewriteRule ^(.*)$ /public/$1 [L,QSA]
</IfModule>

# Prevent directory listing
Options -Indexes

# Protect sensitive files
<FilesMatch "\.(env|blade\.php|json|lock|md|log|git|gitignore|sh)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect .git folder
RedirectMatch 404 /\.git

# Protect configuration files
<FilesMatch "^(composer\.json|composer\.lock|package\.json|package-lock\.json|artisan)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Disable PHP execution in storage and cache
<IfModule mod_php8.c>
    php_flag engine off
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
