Options -Indexes
RewriteEngine On

# Redirect to HTTPS (uncomment in production)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Allow direct access to public assets
RewriteCond %{REQUEST_URI} ^/smartform/public/
RewriteRule ^ - [L]

# Allow direct access to specific files
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]

# Route everything else to index.php
RewriteRule ^(.*)$ index.php [QSA,L]

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# Prevent access to sensitive files
<FilesMatch "\.(env|log|sql)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
