<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Protect sensitive files
    <FilesMatch "(\.(env|config|token)|auth/)">
        Require all denied
    </FilesMatch>
</IfModule>