<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Block access to sensitive files
    RewriteRule ^\.env$ - [F,L]
    RewriteRule ^composer\.json$ - [F,L]
    RewriteRule ^composer\.lock$ - [F,L]
    RewriteRule ^package\.json$ - [F,L]
    RewriteRule ^package-lock\.json$ - [F,L]

    # Block storage except public photos, uploads, and bots
    RewriteRule ^storage/(?!app/public/photos|app/public/uploads|app/public/bots)(.*)$ - [F,L]

    RewriteRule ^\.git/(.*)$ - [F,L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

# Deny access to .htaccess
<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>

# Deny access to files with specific extensions
<FilesMatch "^\.(?!well-known)|\.(?:env|log|yml|yaml|xml|md|sql|sh|config|bak|gitignore|gitattributes|lock|json|inc|dist|cache|git|docker|dockerignore)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

# Prevent viewing of .env file
<Files ~ "^\.env">
    Order allow,deny
    Deny from all
</Files>

# Protect against common attacks
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

