# Amigos Capital CRM — Apache rewrite + hardening
# Lives at the cPanel webroot.

Options -Indexes -MultiViews
DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On

    # If the requested file or directory does not physically exist, route to index.php.
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [QSA,L]
</IfModule>

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# Deny direct access to dotfiles
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Deny direct access to backup / version files
<FilesMatch "\.(bak|swp|orig|sql|env|log)$">
    Require all denied
</FilesMatch>
