# ============================================================
# app.busyhai.com — Main .htaccess
# Place this file in your whatsapp-engine root folder
# (same folder where index.php lives)
# ============================================================
Options -Indexes -MultiViews
ServerSignature Off
# ── Force HTTPS ──────────────────────────────────────────────
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# ── Block direct access to .php files (except index.php) ─────
# Nobody can open chats.php, api/send.php etc. directly
RewriteCond %{THE_REQUEST} \.php [NC]
RewriteCond %{REQUEST_URI} !^/index\.php [NC]
RewriteRule ^ - [F,L]
# ── Block direct access to sensitive files ────────────────────
Require all denied
# ── Block access to folders that should never be public ───────
RewriteRule ^(config|src|vendor|node_modules|logs|cache|storage)(/.*)?$ - [F,L]
# ── Strip X-Powered-By header (hides PHP version) ────────────
Header unset X-Powered-By
Header always unset X-Powered-By
Header unset Server
# Security headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
# Cache: never cache HTML responses (fresh data always)
Header always set Cache-Control "no-store, no-cache, must-revalidate"
# ── Route everything to index.php (SPA-style router) ─────────
# Skip real files (css, js, images, fonts)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
# ── API routes: /api/xxx → index.php?route=api/xxx ───────────
# Already handled by above rule. index.php reads REQUEST_URI.