# 1. Prevent directory browsing
Options -Indexes

# 2. Protect Core Files (Added dashboard.php here for safety)
<FilesMatch "^(index|dashboard)\.php$">
    <LimitExcept GET POST>
        Order allow,deny
        Deny from all
    </LimitExcept>
</FilesMatch>

# 3. Security Engine
RewriteEngine On

# EXEMPTION: If the request is for dashboard.php, stop running rules below
RewriteRule ^dashboard\.php - [L]

# 4. Filter out malicious injections (Tightened to avoid false positives)
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (concat|union|select|insert|cast|set|declare|drop|update) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

# 5. Global limit for file upload size (10MB)
LimitRequestBody 10240000

# Protect .htaccess from being viewed or modified via browser
<Files ".htaccess">
    Order allow,deny
    Deny from all
</Files>