# Proteger archivos sensibles
<FilesMatch "\.(sql|log|txt|md)$">
  Require all denied
</FilesMatch>

# Proteger directorios sensibles
RedirectMatch 403 ^/config/.*$
RedirectMatch 403 ^/classes/.*$
RedirectMatch 403 ^/libraries/.*$
RedirectMatch 403 ^/error_log$

# Prevenir listado de directorios
Options -Indexes

# Seguridad: headers
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "DENY"
  Header set X-XSS-Protection "1; mode=block"
</IfModule>
