RewriteEngine On

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Handle API requests through PHP proxy
RewriteCond %{REQUEST_URI} ^/api/ [OR]
RewriteCond %{REQUEST_URI} ^/health$
RewriteRule ^(.*)$ proxy.php [L]

# Handle static files in uploads directory
RewriteCond %{REQUEST_URI} ^/uploads/
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.*)$ - [L]

# Enable CORS
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"

# Handle OPTIONS requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

# Set proper MIME types
AddType application/javascript .js
AddType image/webp .webp

# Protect sensitive files
<FilesMatch "^\.">
	Order allow,deny
	Deny from all
</FilesMatch>

<FilesMatch "(package\.json|package-lock\.json|ecosystem\.config\.js|\.env)$">
	Order allow,deny
	Deny from all
</FilesMatch>

# HSTS (HTTP Strict Transport Security)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Allow access to uploads directory without Directory directive
Options +Indexes
