Options -Indexes

# Block direct access to sensitive files
<FilesMatch "^(config\.php|install\.php|composer\.(json|lock))$">
  Order allow,deny
  Deny from all
</FilesMatch>

# Block uploads directory access
<IfModule mod_rewrite.c>
  RewriteEngine On

  # Force HTTPS (uncomment on production)
  # RewriteCond %{HTTPS} off
  # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  # Redirect root to login
  RewriteRule ^$ login.php [L]
</IfModule>

# Protect log files
<FilesMatch "\.log$">
  Order allow,deny
  Deny from all
</FilesMatch>
