Options -Indexes
ServerSignature Off

# Deny access to sensitive directories
<FilesMatch "\.(sql|log|env|sh|htpasswd)$">
    Order deny,allow
    Deny from all
</FilesMatch>

# Protect includes directory
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^includes/ - [F,L]
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# PHP error hiding in production
php_flag display_errors Off
php_value error_log /tmp/muhanga_errors.log

# Allow file uploads up to 10MB
php_value upload_max_filesize 10M
php_value post_max_size 12M
