# Protect data directory
<FilesMatch "\.json$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Protect config file
<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>

# Enable PHP sessions
php_flag session.use_cookies 1
php_flag session.use_only_cookies 1

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>
