Options -Indexes -MultiViews
DirectoryIndex index.php

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# --------------------------------------------------
# Hagarika files z'ibanga
# --------------------------------------------------
RewriteRule ^(?:config|db)(?:\.php)?$ - [F,L,NC]
RewriteRule ^(?:database|install|upgrade)(?:\.sql)?$ - [F,L,NC]
RewriteRule ^(?:README(?:\.txt)?|repair(?:\.php)?|csrf-session-test(?:\.php)?)$ - [F,L,NC]
RewriteRule (^|/)\.(?!well-known(?:/|$)) - [F,L]

# --------------------------------------------------
# index.php -> /
# Example: /index.php?page=claim -> /?page=claim
# Redirect ikoreshwa kuri GET gusa kugira POST/AJAX ntibibure
# --------------------------------------------------
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{THE_REQUEST} \s/+index\.php(?:[\s?]) [NC]
RewriteRule ^index\.php$ / [R=302,L,NE]

# --------------------------------------------------
# Gukuraho .php ku zindi pages
# Example:
# /logo.php -> /logo
# /payment-callback.php -> /payment-callback
# /api/reward.php -> /api/reward
# --------------------------------------------------
RewriteCond %{REQUEST_METHOD} =GET
RewriteCond %{THE_REQUEST} \s/+(.+?)\.php(?:[\s?]) [NC]
RewriteRule ^(.+)\.php$ /$1 [R=302,L,NE]

# --------------------------------------------------
# Extensionless URL -> PHP file imbere muri server
# Example: /logo -> logo.php
# --------------------------------------------------
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+?)/?$ $1.php [L,QSA]

</IfModule>

# --------------------------------------------------
# Hagarika gufungura sensitive files muri browser
# --------------------------------------------------
<FilesMatch "^(config\.php|db\.php|database\.sql|install\.sql|upgrade\.sql|README\.txt|repair\.php|csrf-session-test\.php|composer\.json|composer\.lock|\.env)$">
    Require all denied
</FilesMatch>

# --------------------------------------------------
# Security headers
# --------------------------------------------------
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Header always set Cross-Origin-Opener-Policy "same-origin"
</IfModule>

# --------------------------------------------------
# Image cache
# --------------------------------------------------
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/png "access plus 1 day"
    ExpiresByType image/jpeg "access plus 1 day"
    ExpiresByType image/webp "access plus 1 day"
    ExpiresByType image/svg+xml "access plus 1 day"
</IfModule>