# API Security and Configuration

# Enable rewrite engine
RewriteEngine On

# Force HTTPS in production (uncomment when ready)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Set default index
DirectoryIndex index.php

# Deny access to sensitive files
<FilesMatch "(\.log|config\.php|\.json)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# CORS Headers (already set in config.php, but backup here)
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Thread-ID, X-Private-Key"

# Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/plain
</IfModule>

# Security Headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
Header always set X-XSS-Protection "1; mode=block"
