Options -Indexes
RewriteEngine On
RewriteBase /

# Never expose setup lock / sensitive extensions if misuploaded
<FilesMatch "\.(sqlite|db|log|env|ini)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Route everything through front controller
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?route=$1 [QSA,L]

<IfModule mod_headers.c>
    Header unset Server
    Header always unset Server
    Header unset X-Powered-By
    Header always unset X-Powered-By
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>
