PassengerEnabled On
PassengerAppRoot /home/YOUR_CPANEL_USERNAME/shiba
PassengerPython /home/YOUR_CPANEL_USERNAME/virtualenv/shiba/3.x/bin/python3

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ passenger_wsgi.py/$1 [QSA,L]
</IfModule>

# Block direct access to sensitive files
<FilesMatch "\.(py|db|json|txt|cfg|ini|log|sh|env)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Disable directory listing
Options -Indexes

# Security headers (backup in case Flask headers don't fire)
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
