# ─── PHP Extension Hide ───────────────────────────────
Options -Indexes
RewriteEngine On

# Remove .php from URL (redirect .php → clean URL)
RewriteCond %{THE_REQUEST} /([^.]+)\.php [NC]
RewriteRule ^ /%1 [R=301,L,NE]

# Internally serve .php files for clean URLs
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !\.(css|js|png|jpg|jpeg|gif|webp|ico|svg|woff|woff2|ttf|eot)$ [NC]
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+?)/?$ /$1.php [L]

# ─── Security ────────────────────────────────────────
# Block direct access to sensitive files
<FilesMatch "\.(sql|log|env|htpasswd|md)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# Protect db.php
<Files "db.php">
  Order Allow,Deny
  Deny from all
</Files>

# ─── Performance ─────────────────────────────────────
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
</IfModule>
