<IfModule mod_rewrite.c>
    RewriteEngine On
    # No hard-coded RewriteBase — Apache uses this .htaccess's directory as
    # the base automatically, so the app works whether it's served at the
    # domain root, in a subdirectory, or as a subdomain.

    # Block direct access to dotfiles (e.g. .git, .env)
    RewriteRule "(^|/)\." - [F]

    # If the request maps to a real file or directory, serve it directly
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # Otherwise, route everything through the front controller
    RewriteRule ^ index.php [L,QSA]
</IfModule>

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

DirectoryIndex index.php
