# Blokir akses langsung ke folder/file sensitif
<FilesMatch "^\.|^(config|includes|auth|logs|database\.sql)">
  Require all denied
</FilesMatch>

# Security Headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-XSS-Protection "1; mode=block"

# Nonaktifkan directory listing
Options -Indexes

# Routing sederhana
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>