# Disable directory browsing
Options -Indexes

# Enable URL rewriting
RewriteEngine On

# Remove .php extension
# If the request is not a directory and not a file with extension
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.*)$ $1.php [L]

# Redirect .php URLs to clean URLs (GET only - never redirect POST/PUT)
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{THE_REQUEST} /([^.]+)\.php [NC]
RewriteRule ^ /%1 [NC,L,R=301]

# Deny access to sensitive files
<FilesMatch "\.(sql|log|htaccess|htpasswd|ini|env)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Deny access to config file
<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>

# Deny access to email helper
<Files "email_helper.php">
    Order Allow,Deny
    Deny from all
</Files>
