# Enable URL Rewriting
RewriteEngine On

# Set index.php as the default directory index
DirectoryIndex index.php

# Security Headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Block direct access to ALL HTML files (including renamed ones)
<FilesMatch "\.(html|htm)$">
    Require all denied
</FilesMatch>

# Block access to the renamed index file specifically
<Files "_index.html">
    Require all denied
</Files>

# Block direct access to sensitive files
<FilesMatch "\.(txt|log|config)$">
    Require all denied
</FilesMatch>

# Block access to specific sensitive files
<Files "config.php">
    Require all denied
</Files>

<Files "me.php">
    Require all denied
</Files>

<Files "error_log">
    Require all denied
</Files>

# Block directory browsing
Options -Indexes

# Block access to hidden files and directories
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Allow access to CSS, JS, image files, and captcha files
<FilesMatch "\.(css|js|png|jpg|jpeg|gif|svg|ico|woff|woff2)$">
    Require all granted
</FilesMatch>

<Files "captcha_verify.php">
    Require all granted
</Files>

# Force redirect any direct HTML file access to index.php
RewriteCond %{THE_REQUEST} \s/+(.+)\.html[\s?] [NC]
RewriteRule ^ /index.php [R=301,L]

# Handle form submissions - redirect POST requests to index.php
RewriteCond %{REQUEST_METHOD} ^POST$
RewriteRule ^(.*)$ /index.php [QSA,L]

# Redirect ALL other requests to index.php (catch-all)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index\.php$
RewriteRule ^(.*)$ /index.php [QSA,L]