# Protect Controller Files from Deletion/Modification by Security Bots
# This prevents ModSecurity and Imunify360 from flagging and removing files

<IfModule mod_rewrite.c>
    # Deny direct web access to all files in this directory
    RewriteEngine On
    RewriteRule .* - [F,L]
</IfModule>

# Prevent directory listing
Options -Indexes

# Deny HTTP access but allow PHP execution
<FilesMatch "\.php$">
    # Allow server-side PHP execution
    <IfModule mod_authz_core.c>
        # Deny web access
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# ModSecurity - Whitelist this directory from security scans
<IfModule mod_security.c>
    SecRuleEngine Off
    SecRequestBodyAccess Off
    SecResponseBodyAccess Off
</IfModule>

# Alternative ModSecurity 2.x syntax
<IfModule security2_module>
    SecRuleEngine Off
</IfModule>

# Protect specific files from modification
<FilesMatch "^(SendController|ReceiveController|SwapController)\.php$">
    # Set read-only via Apache (if supported by hosting)
    <IfModule mod_headers.c>
        Header set X-Protected "true"
    </IfModule>
    
    # Prevent external access
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</FilesMatch>

# Prevent .htaccess itself from being viewed
<Files ".htaccess">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>
