Options +FollowSymLinks
RewriteEngine On
RewriteBase /

# Allow access to all
<IfModule mod_authz_core.c>
    Require all granted
</IfModule>

# Redirect to HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Redirect all requests to public directory
RewriteCond %{REQUEST_URI} !^/public/
RewriteRule ^(.*)$ public/$1 [L]

# Protect sensitive directories
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect app and config directories
RewriteRule ^(app|config)/(.*) - [F,L]

# Enable CORS
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>