# Path: /trackingapp/.htaccess

Options -Indexes

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Block direct access to sensitive files
<FilesMatch "^(config\.php|composer\.(json|lock)|package\.json|\.env|\.gitignore)$">
  Require all denied
</FilesMatch>

# Block access to internal directories (web should only hit /admin and /go)
RewriteEngine On

RewriteRule ^app(/|$) - [F,L]
RewriteRule ^modules(/|$) - [F,L]
RewriteRule ^migrations(/|$) - [F,L]
RewriteRule ^storage(/|$) - [F,L]
RewriteRule ^vendor(/|$) - [F,L]

# Optional: prevent browsing any .sql files if ever present
<FilesMatch "\.sql$">
  Require all denied
</FilesMatch>

# /trackingapp/.htaccess
Options -Indexes

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /trackingapp/

# Serve real files and folders directly (installer must not be rewritten away)
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
</IfModule>
