# Protect admin directory
<Files "auth.php">
    Order allow,deny
    Deny from all
</Files>

# Prevent directory listing
Options -Indexes

# Session security
php_flag session.cookie_httponly On
php_flag session.use_strict_mode On
php_flag session.cookie_secure On

# Enable HTTPS redirect for admin panel (uncomment if needed)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
