Options -Indexes
RewriteEngine On

# Force HTTPS (uncomment in production)
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Protect sensitive directories
RewriteRule ^includes/ - [F,L]
RewriteRule ^cron/     - [F,L]

# Default routes
RewriteRule ^$         /staff/login.php  [L,R=302]
RewriteRule ^staff/?$  /staff/index.php  [L,R=302]
RewriteRule ^member/?$ /member/login.php [L,R=302]

# Security headers
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# PHP settings
<IfModule mod_php.c>
  php_flag display_errors Off
  php_value upload_max_filesize 5M
  php_value post_max_size 6M
</IfModule>