# Block access to sensitive files
<FilesMatch "(\.env|\.git|composer\.(json|lock)|package\.json|package-lock\.json|phpunit\.xml|webpack\.mix\.js|vite\.config\.js|artisan)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to hidden files/directories (starting with .)
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Prevent PHP execution in storage/uploads directories
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^storage/.*\.php$ - [F,L]
</IfModule>

# Disable server signature
ServerSignature Off

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

# Prevent clickjacking, MIME sniffing, XSS (backup for servers that don't process PHP headers)
<IfModule mod_headers.c>
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>
