# ==========================================
# proxy.drmitov.mk - hardening
# ==========================================

# No directory listing
Options -Indexes

# Block access to dotfiles (.env, .git, .htaccess, etc.)
<FilesMatch "^\.">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Deny from all
  </IfModule>
</FilesMatch>

# Block logs and common sensitive file extensions
<FilesMatch "^(logs\.txt|.*\.(log|txt|sql|zip|tar|gz|rar|7z|bak|old))$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Deny from all
  </IfModule>
</FilesMatch>

# Allow ONLY index.php, deny everything else in web root
<IfModule mod_rewrite.c>
  RewriteEngine On

  # Allow index.php
  RewriteRule ^index\.php$ - [L]

  # Deny any direct access to other root files (like /readme.html, /test.php, etc.)
  RewriteRule ^[^/]+$ - [F,L]
</IfModule>

# Prevent execution of any PHP file except index.php (even if rewrite is bypassed)
<FilesMatch "\.php$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Deny from all
  </IfModule>
</FilesMatch>

<Files "index.php">
  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>
  <IfModule !mod_authz_core.c>
    Allow from all
  </IfModule>
</Files>