Security fixes: remove dangerous public scripts, add .htaccess hardening, disable log-viewer by default, remove root index.php

public/.htaccess

@@ -5,6 +5,9 @@
 
     RewriteEngine On
 
+    # Security: Block access to sensitive files
+    RewriteRule ^(\.env|\.git|composer\.(json|lock)|artisan)$ - [F,L]
+
     # Handle Authorization Header
     RewriteCond %{HTTP:Authorization} .
     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP_AUTHORIZATION}]
@@ -20,6 +23,13 @@
     RewriteRule ^ index.php [L]
 </IfModule>
 
+# Security headers
+<IfModule mod_headers.c>
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>
+
 # Browser Caching - Improve performance for returning visitors
 <IfModule mod_expires.c>
     ExpiresActive On