## Prevent direct access to anything outside /public.
## All real requests are routed to /public via vhost or by editing PROOT.
RewriteEngine On

## Serve user-uploaded files (photos, receipts, PDFs) straight from
## /storage/uploads/ without routing them into the app front-controller.
## Without this, /storage/uploads/foo.jpg was being rewritten into
## /public/storage/uploads/foo.jpg — which doesn't exist — then handed to
## the router as a controller name, producing a broken-image icon.
RewriteRule ^storage/uploads/ - [L]

RewriteRule ^(.*)$ public/$1 [L]

## Block direct file access to sensitive folders.
<FilesMatch "\.(env|json|md|lock|sql|sh|bat|ini|log)$">
    Require all denied
</FilesMatch>
