# Enable Rewrite Engine
RewriteEngine On

# Redirect to index.html for root requests
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^$ index.html [L]

# API routes - pass through to PHP files
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api/$1 [L]

# Security: Prevent directory listing
Options -Indexes

# Security: Deny direct HTTP access to PHP except under .../api/ and manifest.php (config/ must never be web-executable).
# Patterns must work when the app is served from a subdirectory (e.g. /personalExpenses/api/...), not only from the vhost root.
RewriteCond %{REQUEST_URI} \.php$ [NC]
RewriteCond %{REQUEST_URI} !^(.*/)?api/ [NC]
RewriteCond %{REQUEST_URI} !(^|/)manifest\.php$ [NC]
RewriteRule .* - [F,L]

# Security: Protect other sensitive files
<FilesMatch "\.(sql|ini|log)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# Set upload limits
php_value upload_max_filesize 30M
php_value post_max_size 30M

