RewriteEngine On

# Force HTTPS (uncomment if you have SSL)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Don't rewrite existing files and directories
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Route all /api/* requests to api.php
RewriteRule ^api(/.*)?$ api.php [QSA,L]

# Route everything else to index.html (React SPA)
RewriteRule ^(.*)$ index.html [QSA,L]

# Security: block access to config and includes
<FilesMatch "^(config|config\.sample)\.php$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

<IfModule mod_headers.c>
    <FilesMatch "\.(js|css|png|jpg|jpeg|gif|svg|woff2?)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
</IfModule>

# PHP settings for shared hosting
<IfModule mod_php.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_execution_time 60
</IfModule>
