# =========================================================
# ENABLE REWRITE ENGINE
# =========================================================
RewriteEngine On

# =========================================================
# CLEAN URLS (Hide .php from URLs)
# =========================================================
# Redirect requests with .php extension to clean version
RewriteCond %{THE_REQUEST} \s/([^\s]+)\.php[\s?] [NC]
RewriteRule ^ %1 [R=301,L]

# Internally rewrite clean URLs to .php files
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.*)$ $1.php [L]

# =========================================================
# SECURITY HARDENING
# =========================================================

# 🔒 Disable directory browsing (fixes the “show all files” issue)
Options -Indexes

# 🚫 Prevent direct access to sensitive file types
<FilesMatch "\.(htaccess|env|ini|log|sql|bak|sh|zip|tar|gz|config|json)$">
    Require all denied
</FilesMatch>

# =========================================================
# BLOCK PHP EXECUTION IN UPLOAD / ICON / IMAGE FOLDERS
# =========================================================
# NOTE: Replace 'newlxlgf' with your actual cPanel username (keep same if correct)

<IfModule mod_php.c>
    <Directory "/home/newlxlgf/public_html/icons">
        php_flag engine off
    </Directory>

    <Directory "/home/newlxlgf/public_html/uploads">
        php_flag engine off
    </Directory>

    <Directory "/home/newlxlgf/public_html/images">
        php_flag engine off
    </Directory>
</IfModule>

# Also block manual PHP execution in those folders (Apache 2.4 compatible)
<FilesMatch "(?i)\.(php|phtml|php3|php4|php5|php7|php8|phps)$">
    <If "%{REQUEST_URI} =~ m#/(icons|uploads|images)/#">
        Require all denied
    </If>
</FilesMatch>

# =========================================================
# BLOCK ACCESS TO COMMON BACKUP OR PRIVATE FOLDERS
# =========================================================
RedirectMatch 403 /(backup|backups|private|temp|cache|logs|config|tmp)/

# =========================================================
# OPTIONAL: FORCE HTTPS (Uncomment if SSL is enabled)
# =========================================================
# RewriteCond %{HTTPS} !=on
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]