# customsso-manager — front-controller routing.
# Any request that doesn't resolve to a real file or directory falls through
# to index.php, which the Router dispatches.

# FallbackResource is the simple way (Apache 2.2.16+, no mod_rewrite needed).
FallbackResource /index.php

# Belt + suspenders: also configure mod_rewrite if available.
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [QSA,L]
</IfModule>

# Block any direct access to PHP files outside the front controller. Anyone
# hitting /controllers/Auth.php or /lib/Crypt.php directly should get 403.
<FilesMatch "\.php$">
    Require all denied
</FilesMatch>
<Files "index.php">
    Require all granted
</Files>
