<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Allow Requests to Static Files (CSS, JS, Images, Fonts)
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^ - [L]

    # Redirect Trailing Slashes If Not A Folder
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

    # Prevent Access To Sensitive Files
    <FilesMatch "\.(env|json|log|sql|bak|config|ini|sh|inc|swp|dist|yaml|lock|php~|crt|key|pem|cert|conf)$">
        Order allow,deny
        Deny from all
    </FilesMatch>

    # Block Access To Hidden Files And Directories (e.g., .git)
    RewriteRule "^\.|^.*\/\." - [F,L]

    # Protect .htaccess File
    <Files .htaccess>
        Order allow,deny
        Deny from all
    </Files>

    # Enable CORS for External Assets
    # Add CORS Headers
    <IfModule mod_headers.c>
        Header Set Access-Control-Allow-Origin "*"
        Header Set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        # Header Set Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization, X-Requested-With"
        Header Set Access-Control-Allow-Credentials "true"
    </IfModule>
    
    <IfModule mod_rewrite.c>
        RewriteEngine On
    
        # Handle OPTIONS requests
        RewriteCond %{REQUEST_METHOD} OPTIONS
        RewriteRule ^(.*)$ $1 [R=200,L]
    </IfModule>



    # Add MIME Types
    AddType text/css .css
    AddType application/javascript .js
    AddType image/png .png
    AddType image/jpeg .jpeg
    AddType image/svg+xml .svg
    AddType font/woff2 .woff2
    AddType font/woff .woff
    AddType font/ttf .ttf

    # Security Headers
    <IfModule mod_headers.c>
        Header set X-Content-Type-Options "nosniff"
        Header set X-XSS-Protection "1; mode=block"
        Header set Referrer-Policy "no-referrer-when-downgrade"
    
        # Content-Security-Policy with Relaxed Rules
        Header always set Content-Security-Policy "default-src 'self' https:; script-src 'self' https: 'unsafe-inline'; style-src 'self' https: 'unsafe-inline';"
    </IfModule>
    
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    </IfModule>

</IfModule>

# Disable Directory Browsing
Options -Indexes
