# Disable directory listing
Options -Indexes

# Prevent server signature disclosure
ServerSignature Off

# Protect .htaccess itself
<Files ".htaccess">
    Require all denied
</Files>

# Deny access to sensitive filenames/extensions
<FilesMatch "\.(env|ini|phar|lock|log|sql)$">
    Require all denied
</FilesMatch>

# Deny direct access to JSON files (data should be read by PHP only)
<FilesMatch "\.(json)$">
    Require all denied
</FilesMatch>

# Protect common backup/archive files
<FilesMatch "\.(bak|old|backup|swp|~)$">
    Require all denied
</FilesMatch>

# Block attempts to access .git and related
RedirectMatch 404 /\.git

# Basic block of suspicious user agents (optional)
SetEnvIfNoCase User-Agent "curl|wget|nikto|scan" bad_bot
<RequireAll>
    Require all granted
    Require not env bad_bot
</RequireAll>

# Force HTTPS (if your site supports HTTPS)
<IfModule mod_rewrite.c>
    RewriteEngine On
    # Redirect to https, preserve hostname and URI
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# Recommended headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Prevent MIME type sniffing for certain types (extra safety)
<IfModule mod_mime.c>
    AddType text/plain .php .php5 .phtml
</IfModule>