# =========================================================
# Root .htaccess — used only when the host won't let you
# point document root to /public. It forwards every request
# into /public and blocks direct access to app/storage/etc.
# =========================================================

RewriteEngine On

# 1) Block direct access to sensitive folders & files
RewriteRule ^(app|storage|database|python|\.env|\.git) - [F,L,NC]

# 2) Forward everything else to /public
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ public/$1 [L]

# Disable directory browsing
Options -Indexes

# Hide server signature
ServerSignature Off
