DirectorySlash Off

# Block direct access to content source files
<FilesMatch "\.(ini|md|html|php)$">
    # Allow only the entry point
    <If "%{REQUEST_URI} != '/index.php'">
        Require all denied
    </If>
</FilesMatch>

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Header unset X-Powered-By
    Header always unset X-Powered-By
</IfModule>

# Restrict HTTP methods to GET, POST, HEAD
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$ [NC]
    RewriteRule .* - [F,L]

    # Route /app requests to index.php
    RewriteCond %{REQUEST_URI} ^/app/
    RewriteRule ^(.*)$ /index.php [L,QSA]

    # Don't rewrite if file exists
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ /index.php [L,QSA]
</IfModule>