# Vogue Vesture Business Invoicing — Apache security config

# Disable directory listing
Options -Indexes

# Send all PHP requests through index.php so direct file access is blocked
# (e.g., /invoicing/lib/db.php cannot be opened directly)
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block direct access to sensitive folders
    RewriteRule ^(lib|config|views|pages)/ - [F,L]

    # Block direct access to install.php after first run
    # (you can leave install.php in place; it self-locks after creating an admin)
</IfModule>

# Deny access to dotfiles like .htaccess, .env
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Deny access to SQL, log, md, ini files
<FilesMatch "\.(sql|log|md|ini)$">
    Require all denied
</FilesMatch>

# Set default character set
AddDefaultCharset UTF-8

# Basic security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# PHP error display off (uncomment when in production)
# php_flag display_errors Off
