.htaccess

<ifModule mod_headers.c>
    Header always set Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE"
</ifModule>

DirectoryIndex index.php

Options -Indexes

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Forbid access. Not actual as redirect to `public` is applied.
    # An extra security measure if redirect not fired.
    RewriteRule ^/?data/ - [F]
    RewriteRule ^/?application/ - [F]
    RewriteRule ^/?custom/ - [F]
    RewriteRule ^/?vendor/ - [F]
    RewriteRule /?web\.config - [F]

    # Forbid `public` dir.
    RewriteCond %{ENV:REDIRECT_STATUS} !=200
    RewriteRule ^/?public/? - [F,L]

    # Skip redirect for `client` dir.
    RewriteRule ^client/ - [L]

    # Store base path.
    RewriteCond %{REQUEST_URI}::$1 ^(.*?/)(.*)::\2$
    RewriteRule ^(.*)$ - [E=BASE:%1]

    # Add trailing slash.
    RewriteCond %{DOCUMENT_ROOT}/%{ENV:BASE}/public/$1 -d
    RewriteRule ^(.*?[^/])$ %{REQUEST_URI}/ [L,R=301,NE]

    # Rewrite to `public` dir.
    RewriteRule ^((?!public/).*)$ %{ENV:BASE}/public/$1 [L,NC]

    RewriteRule .* - [E=HTTP_ESPO_CGI_AUTH:%{HTTP:Authorization}]
</IfModule>