<IfModule mod_rewrite.c>
Options -Indexes

<Files .env>
Order allow,deny
Deny from all
</Files>

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>

# Security: block sensitive files
<FilesMatch "\.(env|git|log|config|ini|phar|sh|sql)$">
Order allow,deny
Deny from all
</FilesMatch>

# Light browser caching (Cloudflare overrides globally)
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/html "access plus 1 hour"
</IfModule>