Options -Indexes
DirectoryIndex index.php

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# Block sensitive directories
RewriteRule ^(includes|config|db)/ - [F,L]

# If file or directory exists, serve it directly
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Sitemap & RSS
RewriteRule ^sitemap\.xml$ sitemap.xml.php [L]
RewriteRule ^rss/?$ rss.php [L]
RewriteRule ^robots\.txt$ robots.php [L]
RewriteRule ^llms\.txt$ llms.php [L]

# Provider pages
RewriteRule ^provider/([a-z0-9-]+)/?$ provider.php?slug=$1 [L,QSA]

# Category pages
RewriteRule ^(vps|vds|rdp|dedicated|gpu|vpn|proxy)/?$ $1.php [L]
RewriteRule ^(providers|compare|coupons|countries|blog)/?$ $1.php [L]
RewriteRule ^(about|contact|privacy|terms)/?$ $1.php [L]
RewriteRule ^(login|register|logout|dashboard|forgot|reset)/?$ $1.php [L]

# Admin pages
RewriteCond %{DOCUMENT_ROOT}/admin/$1.php -f
RewriteRule ^admin/([a-z0-9_-]+)/?$ admin/$1.php [L,QSA]

# Blog posts (catch-all for slugs)
RewriteCond %{REQUEST_URI} !^/(admin|ajax|assets|uploads|db|config|includes)/
RewriteRule ^([a-z0-9][a-z0-9-]*)/?$ post.php?slug=$1 [L,QSA]

# Fallback: extensionless to .php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/(ajax|assets|uploads|db|config|includes)/
RewriteRule ^([^.]+)$ $1.php [L]
</IfModule>

# Security headers
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Block sensitive files
<FilesMatch "\.(sqlite|db|log|env|ini|bak|sql)$">
Require all denied
</FilesMatch>
