# Enable URL Rewriting
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /xchange_reg/admin/
    
    # Prevent direct access to important files
    <Files "auth.php">
        Order Allow,Deny
        Deny from all
    </Files>
    
    <Files "auth_rbac.php">
        Order Allow,Deny
        Deny from all
    </Files>
    
    # Skip rewrite for actual files and directories
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    
    # Skip rewrite for API endpoints that need to remain as-is
    RewriteCond %{REQUEST_URI} !.*_api\.php$
    RewriteCond %{REQUEST_URI} !.*_actions\.php$
    
    # Rewrite clean URLs to PHP files
    RewriteRule ^([a-zA-Z0-9_-]+)/?$ $1.php [L,QSA]
    
    # Redirect .php URLs to clean URLs (optional - for SEO)
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{THE_REQUEST} ^GET\ /Xchange_Admin/admin/([a-zA-Z0-9_-]+)\.php
    RewriteRule ^([a-zA-Z0-9_-]+)\.php$ /Xchange_Admin/admin/$1 [R=301,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Disable directory browsing
Options -Indexes

# Set default document
DirectoryIndex index.php

# Prevent access to sensitive files
<FilesMatch "\.(sql|log|md|env|json|lock)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

