# Joomtower — shared-hosting root .htaccess
#
# USE THIS ONLY IF you cannot point your domain's document root at the
# project's `public/` folder (the recommended, more secure setup). Rename
# this file to `.htaccess` and place it in the project root — i.e. the same
# folder as `artisan` and `composer.json`, which then becomes your web root.
#
# It routes all web traffic into Laravel's public/ folder and HARD-BLOCKS
# direct web access to the application's private files — necessary because,
# with the docroot at the project root, files like .env would otherwise be
# reachable from a browser.
#
# Apache / LiteSpeed (mod_rewrite). Covers effectively all shared hosting.

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block direct access to private application directories.
    RewriteRule ^(app|bootstrap|config|database|resources|routes|storage|tests|vendor)(/|$) - [F,L]

    # Block sensitive root files (.env, .env.backup, composer.*, artisan, ...).
    RewriteRule ^\.env - [F,L]
    RewriteRule ^(composer\.(json|lock)|package\.json|artisan|phpunit\.xml)$ - [F,L]

    # Everything else is served from public/.
    RewriteCond %{REQUEST_URI} !^/public/
    RewriteRule ^(.*)$ public/$1 [L]
</IfModule>

# Belt-and-suspenders: deny .env even if mod_rewrite is unavailable.
<Files ".env">
    Require all denied
</Files>
