Options -Indexes
Options -MultiViews

RewriteEngine On

# Remove trailing slashes (except for root)
RewriteCond %{REQUEST_URI} !^/?$
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [R=301,L]

# Serve real files and directories directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Everything else → front controller
RewriteRule ^ index.php [L,QSA]

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Block direct PHP execution outside index.php
<FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
<Files "index.php">
    Order Allow,Deny
    Allow from all
</Files>
