Options -Indexes
Options -MultiViews
Options +FollowSymLinks

AddDefaultCharset UTF-8

<IfModule mod_headers.c>
  Header always append X-Frame-Options SAMEORIGIN
  Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Hard deny for config, hidden files and composer
<FilesMatch "^config(|\.local)\.ini$|^\..*$|^composer\.(json|lock)$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
  </IfModule>
</FilesMatch>

# Hard deny for editors files
<FilesMatch "(^#.*#|\.(bak|conf|dist|in[ci]|log|orig|sh|sql|sw[op])|~)$">
  <IfModule mod_authz_core.c>
     Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
  </IfModule>
</FilesMatch>

DirectoryIndex index.php index.html index.htm

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Allow rule for ui/images
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteRule (^|/)ui/images/.+\.(jpg|jpeg|png|gif|webp|svg)$ - [L]

  # Allow rule for css files
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteRule (^|/)ui/css/[^/]+\.css$ - [L]

  # Allow rule for ui/js files
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteRule (^|/)ui/js/.+\.(map|css|js)$ - [L,QSA]

  # Allow rule for sensor
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule (^|/)sensor/(|index\.php)$ - [L,QSA]

  # Allow rule for installer
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule (^|/)install/(|index\.php)$ - [L,QSA]

  # Deny rule for app directories
  RewriteCond %{REQUEST_URI} (^|/)(assets|app|sensor|config|tmp|libs|install|vendor|ui|extension)($|/.*$) [NC,OR]

  # Deny rule for markdown and other software documents
  RewriteCond %{REQUEST_URI} (^|/)(README|CHANGELOG|LICENSE|AUTHORS|CODE_OF_CONDUCT|LEGALNOTICE|RELEASE_NOTES|SECURITY|FILE_ID)(|\.txt|\.md|\.diz|\.DIZ)$ [NC,OR]

  # Deny rule for hidden files
  RewriteCond %{REQUEST_URI} (^|/)\..*$ [NC,OR]

  # Deny rule for docker if any
  RewriteCond %{REQUEST_URI} (^|/)(docker|Docker).*$ [NC,OR]

  # Deny rule for app specific files in root config files
  RewriteCond %{REQUEST_URI} (^|/)(app\.json|composer\.json|composer\.lock|cron.json|eslint.config.js|phpcs.xml)$ [NC]

  RewriteRule ^.*$ - [F,L]

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d

  # Default for all other requests
  RewriteRule ^ index.php [L,QSA]
</IfModule>
