# BucketList — API rewrite rules (Apache)
# Route all /api/* requests to index.php which dispatches to route handlers.

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Preserve Authorization header (some shared hosts strip it otherwise)
  RewriteCond %{HTTP:Authorization} ^(.*)
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%1]

  # Front controller
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^ index.php [L]
</IfModule>

# Sensible defaults
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Disable directory listing
Options -Indexes

# Block access to PHP partials / config from web
<FilesMatch "^(config|db)\.php$">
  Require all denied
</FilesMatch>
