.htaccess

# Deny access to all CGI, Perl, Python, Bash, SQL, Template, INI configuration, .env, cache, log, temporary and text files
<FilesMatch "\.(env|cgi|pl|py|sh|bash|sql|tpl|ini|cache|log|tmp|txt|md)$">
    # Apache 2.4+
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>

    # Apache 2.2
    <IfModule !mod_authz_core.c>
        Deny from all
    </IfModule>
</FilesMatch>

# Deny access to all composer.json and error_log files
<FilesMatch "composer\.json|error_log">
    # Apache 2.4+
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>

    # Apache 2.2
    <IfModule !mod_authz_core.c>
        Deny from all
    </IfModule>
</FilesMatch>

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>
    Options +FollowSymLinks

    RewriteEngine On

    # Enable HSTS header to increase security of your website & SEO
    <IfModule mod_headers.c>
        Header set Strict-Transport-Security "max-age=31536000; preload" env=HTTPS
    </IfModule>

    # Remove www subdomain in the URL
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    # Redirect trailing slashes if it isn't a folder
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /?$1 [L,R=301]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule ^(.*)$ index.php?$1 [L]
</IfModule>