Options -Indexes
DirectoryIndex index.php

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /filepdf/

    # PENTING: route URL QR diproses lebih dahulu walaupun folder slug/UUID nyata ada.
    RewriteRule ^([A-Za-z0-9_-]+)/([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89aAbB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})/?$ open.php?slug=$1&id=$2 [L,QSA]

    # Blok akses langsung ke isi folder fisik slug/UUID.
    # PDF hanya boleh dibuka lewat URL bersih di atas agar status, hits, dan mode tetap bekerja.
    RewriteRule ^[A-Za-z0-9_-]+/[0-9a-fA-F-]{36}/.+$ - [F,L]

    # Biarkan file/folder aplikasi yang nyata diproses normal.
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
</IfModule>

<FilesMatch "^(config|lib)\.php$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

<FilesMatch "^document\.pdf$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
