RewriteEngine On
RewriteBase /

# Zugriff auf sensible Verzeichnisse blockieren
RewriteRule ^(config|core|data)/ - [F,L]

# PHP-Ausführung in uploads verhindern
RewriteRule ^uploads/.*\.php$ - [F,L]

# Existierende Dateien/Verzeichnisse direkt ausliefern
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Alles andere durch index.php routen (außer admin/)
RewriteCond %{REQUEST_URI} !^/admin/
RewriteCond %{REQUEST_URI} !^/assets/
RewriteCond %{REQUEST_URI} !^/uploads/
RewriteRule ^(.*)$ index.php?route=$1 [QSA,L]

# Sicherheits-Header
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Kein Directory Listing
Options -Indexes