RewriteEngine On

# Let /api/* be handled by public/api/index.php (see public/api/.htaccess)
RewriteCond %{REQUEST_URI} ^/api/
RewriteRule ^ - [L]

# Everything else routes through the front controller,
# unless it's a real file/directory already in public/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]

# Security headers
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "DENY"
</IfModule>

Options -Indexes
