<IfModule mod_rewrite.c>
  RewriteEngine On
  
  # Don't rewrite if it's a real file
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteRule ^ - [L]
  
  # Don't rewrite if it's a real directory  
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]
  
  # All other requests go to public/index.php (PHP entry point)
  RewriteRule ^ public/index.php [QSA,L]
</IfModule>

# Security headers for API
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "DENY"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  
  # Allow CORS for same domain (won't add header if not needed)
  Header set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
  Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
</IfModule>

# Gzip compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# PHP settings for production
<IfModule mod_php.c>
  php_flag display_errors Off
  php_flag log_errors On
  php_value max_upload_size 20M
  php_value post_max_size 20M
</IfModule>

# Block sensitive files
<FilesMatch "^\.">
  Deny from all
</FilesMatch>

<FilesMatch "\.(env|example|md|gitignore|lock)$">
  Deny from all
</FilesMatch>
