# ==============================================================================
# 1. PREVENT DIRECTORY LISTING
# Stops hackers from seeing the files inside your folders if an index.php is missing.
# ==============================================================================
Options -Indexes

# ==============================================================================
# 2. PROTECT SENSITIVE FILES
# Instantly blocks any browser attempt to read your config file, database, or error logs.
# ==============================================================================
<FilesMatch "^(config\.php|\.htaccess|error_log|install\.lock|.*\.(log|ini|bak|sql|sqlite|lock))$">
    Require all denied
</FilesMatch>

# ==============================================================================
# 3. ADD SECURITY HEADERS (WAF)
# Tells the browser to block clickjacking, XSS attacks, and malicious sniffing.
# ==============================================================================
<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ==============================================================================
# 4. BLOCK MALICIOUS HTTP METHODS
# Only allows standard GET and POST requests. Blocks TRACE/TRACK exploits.
# ==============================================================================
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS) [NC]
RewriteRule .* - [F,L]

# ==============================================================================
# 5. URL REWRITING (THE AESTHETIC MASK)
# ==============================================================================
RewriteRule ^secure/(.*)$ cloaker.php/$1 [L,QSA]