RewriteEngine On

# Pasar header Authorization a PHP (Bearer token)
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Permitir acceso directo a archivos existentes
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]

# Seguridad: bloquear acceso a configuraciones
<FilesMatch "\.(env|sql|md|log|json|lock|yml|yaml|php)$">
  Require all denied
</FilesMatch>

# Bloquear ejecucion de PHP en uploads
<Directory "uploads/">
  <FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|aspx|cgi|dll|exe|shtml)$">
    Require all denied
  </FilesMatch>
  Options -Indexes
</Directory>

# Headers de seguridad
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "DENY"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set Referrer-Policy "same-origin"
  Header always set Permissions-Policy "camera=(), geolocation=(), microphone=(), payment=()"
</IfModule>
