Options -Indexes

# --------------------------------
# Block direct access to JSON data
# --------------------------------
<FilesMatch "\.(json)$">
    Require all denied
</FilesMatch>

# ----------------
# Security headers
# ----------------
<IfModule mod_headers.c>
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "no-referrer"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# ------------------------------
# Friendly URLs for shortener
# ------------------------------
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Step 1:
    # /s/abc123  -> step1.php?id=abc123
    RewriteRule ^s/([A-Za-z0-9_-]+)/?$ step1.php?id=$1 [L,QSA]

    # Step 2:
    # /unlock/abc123?t=TOKEN -> step2.php?id=abc123&t=TOKEN
    RewriteRule ^unlock/([A-Za-z0-9_-]+)/?$ step2.php?id=$1 [L,QSA]

    # Final redirect:
    # /out/abc123/TOKEN -> go.php?id=abc123&key=TOKEN
    RewriteRule ^out/([A-Za-z0-9_-]+)/([A-Za-z0-9]+)/?$ go.php?id=$1&key=$2 [L,QSA]
</IfModule>