Options -Indexes
ServerSignature Off

# UTF-8 everywhere
AddDefaultCharset UTF-8

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Protect includes directory (shouldn't be web-accessible)
<FilesMatch "\.(php)$">
    <If "%{REQUEST_URI} =~ m|/includes/|">
        Require all denied
    </If>
</FilesMatch>

# Default page
DirectoryIndex index.php login.php

# PHP settings
<IfModule mod_php8.c>
    php_value session.cookie_httponly 1
    php_value session.use_strict_mode 1
</IfModule>
