# admin/.htaccess — Protect admin area
Options -Indexes

# Block direct access to auth.php and includes
<FilesMatch "^(auth\.php|layout\.php|layout_end\.php)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

<IfModule mod_rewrite.c>
  RewriteEngine On
  # Block access to includes directory
  RewriteRule ^includes/ - [F,L]
</IfModule>

# No caching for admin pages
<IfModule mod_headers.c>
  Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
  Header set Pragma "no-cache"
</IfModule>
