RewriteEngine On

# Enable CORS for API requests
<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
    Header always set Access-Control-Allow-Credentials "true"
    
    # Handle preflight requests
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]
</IfModule>

# Allow access to public files and API endpoints
<FilesMatch "\.(html|css|js|jpg|jpeg|png|gif|ico|svg)$">
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
    </IfModule>
</FilesMatch>

# Allow access to API controllers
<FilesMatch "^.*Controller\.php$">
    <IfModule mod_authz_core.c>
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Allow from all
    </IfModule>
</FilesMatch>

# Hide .htaccess file
<Files .htaccess>
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# PHP settings
<IfModule mod_php7.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log logs/php_errors.log
    php_value max_execution_time 300
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
</IfModule>

<IfModule mod_php8.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log logs/php_errors.log
    php_value max_execution_time 300
    php_value upload_max_filesize 10M
    php_value post_max_size 10M
</IfModule>

# DirectoryIndex
DirectoryIndex index.html

# Error documents
ErrorDocument 404 "Страницата не е намерена"
ErrorDocument 403 "Достъпът е отказан"
ErrorDocument 500 "Вътрешна грешка на сървъра"