# SaleOs demo root router for cPanel/Apache.
# Upload the demo directory contents to the hosting root; requests will be
# redirected into /public while sensitive project files stay blocked.

Options -Indexes
DirectoryIndex public/index.php index.php

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Keep existing /public requests inside the real front controller.
    RewriteRule ^public/?$ public/index.php [QSA,L]

    # Serve the demo root through the public front controller.
    RewriteRule ^$ public/index.php [QSA,L]

    # Send non-public URLs to the public directory.
    RewriteCond %{REQUEST_URI} !/public/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ public/$1 [QSA,L]
</IfModule>

<FilesMatch "^(\.env|composer\.(json|lock)|README.*|.*\.md)$">
    Require all denied
</FilesMatch>

<FilesMatch "\.(sqlite|db|log|bak|sql)$">
    Require all denied
</FilesMatch>

<IfModule !mod_authz_core.c>
    <FilesMatch "^(\.env|composer\.(json|lock)|README.*|.*\.md)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
    <FilesMatch "\.(sqlite|db|log|bak|sql)$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
