# Security
Options -Indexes

# Protect sensitive files
<FilesMatch "\.(php|sql|ini|log)$">
    Order allow,deny
    Deny from all
</FilesMatch>

<Files "index.php">
    Order allow,deny
    Allow from all
</Files>

<Files "login.php">
    Order allow,deny
    Allow from all
</Files>

<FilesMatch "^api/.*\.php$">
    Order allow,deny
    Allow from all
</FilesMatch>

# API CORS headers
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"