Options -Indexes
RewriteEngine On

# Security headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"

# If request is not for existing file/dir, route to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]

# Block sensitive files
<FilesMatch "\.(env|log|sql|sh|json|lock|md)$">
    Order allow,deny
    Deny from all
</FilesMatch>
