RewriteEngine On

# Force HTTPS on production domain
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www\.)?dcc\.xwebitsolutions\.com$ [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Remove www (optional canonical)
RewriteCond %{HTTP_HOST} ^www\.dcc\.xwebitsolutions\.com$ [NC]
RewriteRule ^ https://dcc.xwebitsolutions.com%{REQUEST_URI} [L,R=301]

RewriteBase /

# Serve existing files/directories directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Route everything else to front controller
RewriteRule ^ index.php [QSA,L]

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Disable directory listing
Options -Indexes

# Protect sensitive files if docroot is misconfigured
<FilesMatch "\.(env|sql|md|log)$">
    Require all denied
</FilesMatch>
