# Allow direct access to API PHP files
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /api/

    # If request doesn't end in .php, add it
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule ^(.+)$ $1.php [L]
</IfModule>

# Security headers for API responses
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
</IfModule>