RewriteEngine On

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block access to sensitive files and directories
RewriteRule ^\.env$ - [F,L]
RewriteRule ^composer\.(json|lock)$ - [F,L]
RewriteRule ^src/ - [F,L]
RewriteRule ^templates/ - [F,L]
RewriteRule ^config/ - [F,L]
RewriteRule ^cron/ - [F,L]
RewriteRule ^storage/ - [F,L]
RewriteRule ^migrations/ - [F,L]
RewriteRule ^docs/ - [F,L]
RewriteRule ^vendor/ - [F,L]

# Allow direct access to existing files and directories (assets, etc.)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Route everything else through index.php
RewriteRule ^(.*)$ index.php [QSA,L]