# Enable mod_rewrite RewriteEngine On # Security headers Header always set X-Frame-Options "SAMEORIGIN" Header always set X-XSS-Protection "1; mode=block" Header always set X-Content-Type-Options "nosniff" # Directory index DirectoryIndex public/index.php # Security: Block direct access to .php files (except through rewrites) RewriteCond %{THE_REQUEST} \s/[^?\s]*\.php[\s?] [NC] RewriteRule ^.*$ - [R=404,L] # Security: Block access to sensitive directories RewriteRule ^(storage|src|templates|uploads|config)(/.*)?$ - [F,L] # Security: Block access to hidden files RewriteRule ^\..*$ - [F,L] # Cache static files for 1 hour Header set Cache-Control "public, max-age=3600" # Serve the one static file we allow: css/tkr.css (but not css/custom/) RewriteCond %{REQUEST_URI} !^/css/custom/ RewriteRule ^css/tkr\.css$ public/css/tkr.css [L] # Everything else goes to the front controller RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ public/index.php [L]