# Enable Rewrite Engine
RewriteEngine On

# Redirect to index.html for root requests
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^$ index.html [L]

# API routes - pass through to PHP files
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api/$1 [L]

# Security: Prevent directory listing
Options -Indexes

# Security: Deny access to PHP files outside api/ and config/ directories using RewriteRule
# This checks the request URI and blocks PHP files that aren't in allowed directories
# Exception: Allow manifest.php for PWA support
RewriteCond %{REQUEST_URI} \.php$ [NC]
RewriteCond %{REQUEST_URI} !^/api/ [NC]
RewriteCond %{REQUEST_URI} !^/config/ [NC]
RewriteCond %{REQUEST_URI} !^/manifest\.php$ [NC]
RewriteRule .* - [F,L]

# Security: Protect other sensitive files
<FilesMatch "\.(sql|ini|log)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# Set upload limits
php_value upload_max_filesize 30M
php_value post_max_size 30M

