Options -Indexes -MultiViews
AddDefaultCharset UTF-8

# ── Bloquear archivos sensibles ───────────────────────────────────
<FilesMatch "\.(sql|env|log|md|txt|json|lock|sh|bak|ini)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Bloquear acceso directo a directorios internos ────────────────
# (El único punto de entrada público es public/)
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^(config|controllers|core|models|views|storage|vendor|database)(/.*)?$ - [F,L]
</IfModule>

# ── Headers de seguridad ──────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always unset X-Powered-By
</IfModule>

# ── PHP: errores en log, no en pantalla ──────────────────────────
<IfModule mod_php8.c>
    php_flag display_errors Off
    php_flag log_errors     On
    php_value error_log     storage/php_errors.log
</IfModule>
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag log_errors     On
    php_value error_log     storage/php_errors.log
</IfModule>
