# Security - Block access to sensitive files and directories
<Files ~ "^\.">
    Order allow,deny
    Deny from all
</Files>

<FilesMatch "\.(php|ini|log|conf|config)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to core directories
<IfModule mod_authz_core.c>
    <RequireAll>
        Require all granted
        <RequireNone>
            Require all denied
        </RequireNone>
    </RequireAll>
</IfModule>

# Directory protection
<Directory ~ "^\.|/(config|templates|vendor|cache)/">
    Order allow,deny
    Deny from all
</Directory>

# URL Routing - Route all requests to index.php
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Set base directory
    RewriteBase /
    
    # Block direct access to PHP files in content directory
    RewriteRule ^content/.*\.php$ - [F,L]
    
    # Route all non-file/non-directory requests to index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php [QSA,L]
    
    # Allow access to assets
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^assets/.*$ - [L]
    
    # Allow access to content files (except PHP)
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} !\.php$
    RewriteRule ^content/.*$ - [L]
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# PHP settings
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log /var/log/php_errors.log
    php_value max_execution_time 30
    php_value memory_limit 128M
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
</IfModule>

# Default index file
DirectoryIndex index.php

# Error handling
ErrorDocument 404 /index.php