RewriteEngine On

# Handle CORS preflight requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

# Static files - serve directly from client-build
RewriteRule ^static/(.*)$ client-build/static/$1 [L]
RewriteRule ^manifest\.json$ client-build/manifest.json [L]
RewriteRule ^favicon\.ico$ client-build/favicon.ico [L]

# API routes - handle /production/api/ requests
RewriteCond %{REQUEST_URI} /production/api/
RewriteRule ^api/(.*)$ api/$1 [L]

# Everything else goes to React app
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !/production/api/
RewriteRule ^(.*)$ index.php [QSA,L]

# Set correct MIME types
AddType application/javascript .js
AddType text/css .css
AddType application/json .json

# Security headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"

# CORS headers
## CORS headers are handled in PHP (`includes/helpers.php`) to allow origin checks based on ALLOWED_ORIGINS