Options -Indexes

# Security headers
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(self)"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com/ajax/libs https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com; media-src 'self' blob: data:;"
</IfModule>

# Block access to sensitive dirs
<FilesMatch "^(config|core|models|controllers|database|\.env)">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Rewrite rules
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /TellerPro/

    # Allow direct access to reset and superadmin creation scripts
    RewriteRule ^(reset_database_browser|create_superadmin_browser)\.php$ - [L]

    # Super admin routes
    RewriteRule ^superadmin(/.*)?$ superadmin.php [QSA,L]

    # All other routes -> index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>
