# =============================================== # Basic Security & URL Rewriting for PHP Project # =============================================== # 1. Prevent directory listing Options -Indexes # 2. Protect includes folder (config files, etc.) Require all denied # 2a. Allow access to product images Require all granted # 3. Enable Rewrite Engine RewriteEngine On # 3a. ONLY redirect GET requests for pretty URLs # This prevents POST requests from being redirected #RewriteCond %{REQUEST_METHOD} =GET RewriteCond %{THE_REQUEST} \s/([^.]+)\.php[\s?] [NC] RewriteRule ^ %1 [R=301,L] # 3b. Internally map extensionless URLs to .php files (works for all requests) RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME}.php -f RewriteRule ^(.*)$ $1.php [L] # 4. Prevent access to sensitive files Require all denied # 5. Security headers Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block"