RewriteEngine On

# Pass Authorization header to PHP
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# Legal pages
RewriteRule ^privacy-policy$ privacy-policy.php [L]
RewriteRule ^terms$ terms.php [L]

# Serve existing files/dirs directly
RewriteCond %{REQUEST_URI} ^/public/ [OR]
RewriteCond %{REQUEST_URI} ^/api/
RewriteRule ^ - [L]

# Everything else -> index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]

# Prevent caching of JS/CSS files
<IfModule mod_headers.c>
    <FilesMatch "\.(js|css)$">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
        Header set Pragma "no-cache"
        Header set Expires "0"
    </FilesMatch>
</IfModule>

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET, POST, PATCH, DELETE, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type, Authorization, apikey"
</IfModule>

# Handle OPTIONS preflight
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
