RewriteEngine On

# Pass Authorization header through CGI/suPHP
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

# Handle CORS preflight requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ index.php [QSA,L]

# Route all requests to index.php unless the file or directory exists
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]

# Deny access to PHP files other than index.php
<FilesMatch "^(?!index\.php$).+\.php$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>