RewriteEngine On

# Pass Authorization header to PHP (required on shared hosting)
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Redirect all requests to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L,QSA]

# Deny access to sensitive files
<FilesMatch "\.(env|ini|log|sql)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Deny access to composer files
<FilesMatch "^composer\.(json|lock)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
