Options -Indexes

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /public/

# Block direct access to hidden files
RewriteRule "(^|/)\." - [F,L]

# Let real files and directories pass through
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
</IfModule>

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set Cross-Origin-Resource-Policy "same-origin"
# Enable only after HTTPS is confirmed:
# Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

<FilesMatch "(^\.env$|composer\.(json|lock)$|package(-lock)?\.json$|yarn\.lock$)">
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
    Deny from all
    </IfModule>
</FilesMatch>
