Options -Indexes

# ─── CORS Headers (Apache level – runs before PHP) ───
<IfModule mod_headers.c>
    # Allow your Firebase origin — update this when you go live
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
    Header always set Access-Control-Max-Age "86400"
</IfModule>

# ─── Handle OPTIONS preflight immediately (no PHP needed) ───
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=204,L]

# ─── Route all /api/* to api/index.php ───────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Allow actual files and directories through
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d

    # Route everything under /api/ to the API entry point
    RewriteRule ^api/(.*)$ api/index.php [QSA,L]
</IfModule>

# ─── Security: block sensitive files ─────────
<FilesMatch "\.(sql|log|env|md)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ─── PHP settings ────────────────────────────
<IfModule mod_php7.c>
    php_flag display_errors Off
    php_value error_reporting 0
</IfModule>
<IfModule mod_php8.c>
    php_flag display_errors Off
    php_value error_reporting 0
</IfModule>
