# Faoxima Mini App – API directory protections
# Blocks direct browser access to internal libraries while letting the
# public entry points (miniapp.php, verify.php, etc.) work normally.

# Disable directory listing
Options -Indexes

# Block direct access to internal folders
RewriteEngine On
RewriteRule ^lib/      - [F,L]
RewriteRule ^handlers/ - [F,L]

# Deny access to dotfiles, log files, and source backups
<FilesMatch "^\.">
    Require all denied
</FilesMatch>
<FilesMatch "\.(log|bak|swp|orig|sql)$">
    Require all denied
</FilesMatch>

# CORS for the mini app (tighten the origin to your real domain in production).
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set Referrer-Policy "no-referrer"
</IfModule>

# Pass the Authorization header through to PHP (Bearer token auth on CGI/FastCGI/LiteSpeed)
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>
<IfModule mod_setenvif.c>
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
