# Deny access to sensitive files
<FilesMatch "(config\.php|database\.sql|installed\.lock|setup\.php|setup_sample.*|migrate_to_delivery_db\.php|test_settings\.php|temp_check\.php|tmp_ajax\.php|tmp_ajax_log\.txt|debug_warehouse\.log|save_debug\.txt|setup_inventory_db\.php|setup_delivery_db\.php|contract_templates\.sql)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# Deny access to hidden files and directories
<FilesMatch "^\.">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# Block .codegraph directory
RedirectMatch 403 ^/\.codegraph/

# Disable directory listing
Options -Indexes

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:; connect-src 'self' https://cdn.jsdelivr.net; frame-ancestors 'self';"
</IfModule>
