# Enable Rewrite Engine
RewriteEngine On

# Prevent directory browsing
Options -Indexes

# Protect sensitive files
<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">
    Require all denied
</FilesMatch>

# Protect config file
<Files "config.php">
    Require all denied
</Files>

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>
