# Enable rewrite engine
RewriteEngine On

# Protect direct access to folders (but allow PHP includes)
# Block direct browser access to config, models, helpers, etc.
RewriteCond %{REQUEST_URI} ^/backend/(config|models|helpers|controllers|database)/ [NC]
RewriteRule ^ - [F,L]

# Protect sensitive file types from direct access
<FilesMatch "\.(ini|log|sql|env)$">
    Order deny,allow
    Deny from all
</FilesMatch>

# Allow PHP files to include other PHP files internally
# This doesn't block PHP includes, only direct HTTP requests