RewriteEngine On

# Block access to .env and sensitive files
<FilesMatch "^(\.env|composer\.(json|lock)|package(-lock)?\.json|\.htaccess|web\.config|\.user\.ini)$">
    Require all denied
</FilesMatch>

# Block log/database files
<FilesMatch "\.(log|sql|sqlite)$">
    Require all denied
</FilesMatch>

# Block .git
RewriteRule (^|/)\.git - [F,L]

# Remove trailing slash
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Redirect to public folder
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ public/$1 [L]

# PHP Handler
<FilesMatch "\.(php|phtml)$">
    SetHandler application/x-httpd-alt-php82___lsphp
</FilesMatch>