# Deny access to config
<Files "config.php">
    Require all denied
</Files>

# Optional: rewrite clean URLs (api/hours -> api/?action=hours)
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^([a-z]+)/?$ index.php?action=$1 [QSA,L]
</IfModule>
