# 禁止目录列表
Options -Indexes

# ===== 阻止直接访问非入口 PHP 文件 =====
# 允许直接通过 URL 访问的文件：
#   index.php, panel.php, save.php, api.php, forgot_password.php
<FilesMatch "^(config|smtp|handlers)\.php$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# ===== 阻止直接访问 handlers 目录 =====
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^handlers/ - [F,L]
</IfModule>

# ===== 阻止隐藏文件 & 敏感扩展名 =====
<FilesMatch "^\.">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

<FilesMatch "\.(json|log|lock|bak|tmp|sql)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# ===== 安全响应头（后台专用，比全站更严格） =====
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set Referrer-Policy "same-origin"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Cache-Control "no-store, no-cache, must-revalidate, private"
    Header always set Pragma "no-cache"
</IfModule>
