# Protect sensitive files
# Note: test-auto-backup.php is allowed for testing purposes

<Files "*.log">
    Order Allow,Deny
    Deny from all
</Files>

# Protect config files (but allow install.php)
<FilesMatch "^(?!install\.php$).*\.php$">
<Files "config/*.php">
    Order Allow,Deny
    Deny from all
</Files>
</FilesMatch>

# Protect includes files
<Files "includes/*.php">
    Order Allow,Deny
    Deny from all
</Files>

# Allow access to main pages
<Files "*.php">
    Order Allow,Deny
    Allow from all
</Files>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Disable directory browsing
Options -Indexes

# Custom error pages
ErrorDocument 403 /backend/403.php
ErrorDocument 404 /backend/404.php
ErrorDocument 500 /backend/500.php

# Protect against common attacks
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Block access to sensitive files (but allow install.php)
    RewriteCond %{REQUEST_URI} !^/backend/install\.php$
    RewriteRule ^(config|includes|cron)/.*\.php$ - [F,L]
    RewriteRule \.(log|sql|bak|backup)$ - [F,L]
    
    # Block install.php after installation
    RewriteCond %{REQUEST_FILENAME} install\.php
    RewriteCond %{DOCUMENT_ROOT}/backend/install.lock -f
    RewriteRule ^.*$ - [F,L]
    
    # Block access to hidden files
    RewriteRule ^\. - [F,L]
</IfModule>
