# ============================================================
# Visa Services Web App — API .htaccess
# CORS Headers + URL Rewriting
# ============================================================

# Enable Rewrite Engine
RewriteEngine On

# CORS Headers
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
Header always set Access-Control-Max-Age "3600"

# Handle OPTIONS preflight requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

# Prevent directory listing
Options -Indexes

# Protect sensitive files
<FilesMatch "\.(env|sql|md|log)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect config directory files
<FilesMatch "^(db|jwt)\.php$">
    Order allow,deny
    Deny from all
</FilesMatch>

# PHP error handling — don't expose errors in production
php_flag display_errors Off
php_value error_reporting E_ALL
