# Bloquer l'accès direct à tout sauf callback.php Options -Indexes Options -MultiViews # Forcer HTTPS RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # Autoriser uniquement callback.php et robots.txt Order allow,deny Deny from all # Headers de sécurité Header always set X-Robots-Tag "noindex, nofollow" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "DENY" Header always set Cache-Control "no-store, no-cache, must-revalidate"