# ── Pass Authorization header to PHP (Apache strips it by default) ──
RewriteEngine On
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# ── Fallback for CGI/FastCGI mode ──
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# ── Deny access to sensitive files ──
<FilesMatch "^\.env">
    Require all denied
</FilesMatch>

<FilesMatch "^config\.php$">
    Require all denied
</FilesMatch>

<FilesMatch "^redirects\.json$">
    Require all denied
</FilesMatch>

# ── Deny access to sensitive directories ──
<IfModule mod_rewrite.c>
    RewriteRule ^prevents/ - [F,L]
    RewriteRule ^storage/ - [F,L]
    RewriteRule ^uploads/ - [F,L]
</IfModule>

Options -Indexes