RewriteEngine On

# Deny direct access to sensitive files
<FilesMatch "(^\.|composer\.(json|lock)|artisan|phpunit\.xml|README(\.md)?|readme(\.md)?|env|\.env)">
    Require all denied
</FilesMatch>

# Prevent direct access to storage
RewriteRule ^storage/ - [L]

# If the request is not for an existing file or directory,
# rewrite everything to the public/ directory (fallback when you cannot set DocumentRoot)
RewriteCond %{REQUEST_URI} !^/public/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ public/$1 [L]

