# IPTV Secure Gateway — Apache 2.4+
# Default: allow public PHP endpoints; deny includes, data, and config.

Options -Indexes

<IfModule mod_rewrite.c>
  RewriteEngine On
  # Optional: redirect HTTP to HTTPS in production (uncomment).
  # RewriteCond %{HTTPS} !=on
  # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

  RewriteRule ^includes/ - [F,L]
  RewriteRule ^data/ - [F,L]
  RewriteRule ^config\.php$ - [F,L]
</IfModule>

<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
