<IfModule mod_rewrite.c>
    RewriteEngine On
    Options -Indexes

    # --------------------------------------------------
    # Force HTTPS + WWW
    # --------------------------------------------------
    RewriteCond %{HTTPS} !=on [OR]
    RewriteCond %{HTTP_HOST} !^www\.imperialsuites\.com\.qa$ [NC]
    RewriteRule ^ https://www.imperialsuites.com.qa%{REQUEST_URI} [L,R=301]

    # --------------------------------------------------
    # Block sensitive files & folders
    # --------------------------------------------------
    RewriteRule (^|/)\.(env|git|htaccess|htpasswd) - [F,L]
    RewriteRule ^(artisan|composer\.(json|lock)|package\.json|vite\.config\.) - [F,L]
    RewriteRule ^(vendor|storage|bootstrap|config|database|resources|routes)/ - [F,L]

    # Allow storage public assets only (images etc)
    RewriteCond %{REQUEST_URI} ^/storage/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ - [F,L]

    # Prevent PHP execution inside uploads
    RewriteRule ^storage/.*\.php$ - [F,L]

    # --------------------------------------------------
    # Authorization header (APIs / Sanctum)
    # --------------------------------------------------
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # --------------------------------------------------
    # Send all requests to Laravel public/index.php
    # --------------------------------------------------
    RewriteCond %{REQUEST_URI} !^/public/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ public/index.php [L]
</IfModule>
