Options -Indexes

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Cross-Origin-Resource-Policy "same-origin"
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block hidden files/folders except ACME challenge path.
    RewriteRule "(^|/)\.(?!well-known/)" - [F]

    # Deny direct access to writable data directory (centralized, no data/.htaccess needed).
    RewriteRule ^data(?:/|$) - [F,L]
</IfModule>

<IfModule mod_authz_core.c>
    <FilesMatch "^(config\.php|.*\.(json|md))$">
        Require all denied
    </FilesMatch>
</IfModule>

<IfModule !mod_authz_core.c>
    <FilesMatch "^(config\.php|.*\.(json|md))$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
