<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /api/

    # Remove .php extension from URLs
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?/$1 [QSA,L]

    # Disable directory listing
    Options -Indexes

    # Add CORS headers
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type, Authorization"

    # Prevent access to hidden files
    RewriteRule "^\." - [F]

    # Security headers
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Rate limiting (adjust as needed)
<IfModule mod_ratelimit.c>
    SetOutputFilter RATE_LIMIT
    LimitRequestBody 10485760
</IfModule>

# PHP Configuration
<IfModule mod_php7.c>
    php_value upload_max_filesize 50M
    php_value post_max_size 50M
    php_value default_charset "UTF-8"
</IfModule>
