# --- Basic security: deny access to dotfiles and common sensitive files ---
<FilesMatch "^(\.|composer\.json|composer\.lock|package\.json|package-lock\.json|\.env|README|CHANGELOG)">
  Require all denied
</FilesMatch>

# Block access to .git and vendor directories
RedirectMatch 403 (?i)/(\.git|vendor)(/|$)

# --- Enable pretty URLs: serve .php for extensionless requests ---
RewriteEngine On
# Optional: set a base if your site is in a subdirectory
# RewriteBase /

# don't rewrite existing files or directories
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# rewrite extensionless requests (including subpaths) to .php
RewriteRule ^([^\.\s]+)/?$ $1.php [L,QSA]

# --- PHP error setting: works only with mod_php ---
# If using PHP-FPM/CGI, set display_errors in php.ini or use ini_set in your app.
<IfModule mod_php7.c>
  php_flag display_errors Off
</IfModule>
<IfModule mod_php8.c>
  php_flag display_errors Off
</IfModule>

# --- Recommended security headers (requires mod_headers) ---
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "no-referrer-when-downgrade"
  Header set X-XSS-Protection "1; mode=block"
</IfModule>
