RewriteEngine On

# Force HTTPS (uncomment after SSL is installed)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Route root requests to /public/ folder
RewriteCond %{REQUEST_URI} !^/public/
RewriteCond %{REQUEST_URI} !^/admin/
RewriteCond %{REQUEST_URI} !^/partner/
RewriteCond %{REQUEST_URI} !^/api/
RewriteCond %{REQUEST_URI} !^/cron/
RewriteCond %{REQUEST_URI} !^/assets/
RewriteCond %{REQUEST_URI} !^/uploads/
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ public/$1 [L,QSA]

# Block direct access to sensitive folders
RewriteRule ^config/ - [F,L]
RewriteRule ^includes/ - [F,L]
RewriteRule ^logs/ - [F,L]
RewriteRule ^cron/ - [F,L]

# Disable directory listing
Options -Indexes

# Default document
DirectoryIndex index.php index.html

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Hide sensitive files
<FilesMatch "\.(sql|md|log|env|ini)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Allow access to specific files
<Files "robots.txt">
    Order allow,deny
    Allow from all
</Files>
