# Handle CORS
<IfModule mod_headers.c>
    # Use 'set' instead of 'always set' to prevent duplicate headers in HTTP/2
    SetEnvIf Origin "^https?://(.*\.)?peakwork\.pro$" ALLOWED_ORIGIN=$0
    Header set Access-Control-Allow-Origin %{ALLOWED_ORIGIN}e env=ALLOWED_ORIGIN
    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" env=ALLOWED_ORIGIN
    Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, s-time, s-token, schedule-lang, Origin, Accept" env=ALLOWED_ORIGIN
    Header set Access-Control-Allow-Credentials "true" env=ALLOWED_ORIGIN
    Header set Access-Control-Max-Age "3600" env=ALLOWED_ORIGIN
</IfModule>

<IfModule mod_rewrite.c>
    Options +FollowSymlinks -Multiviews
    RewriteEngine On
    RewriteBase /

    # Allow direct access to static files and uploads
    RewriteCond %{REQUEST_URI} ^/(static|uploads)/.*$
    RewriteRule ^(.*)$ - [L]

    # Handle OPTIONS method for Pre-flight (moved inside rewrite block)
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]

    # If the requested file/directory does not exist, forward to index.php
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php?s=/$1 [QSA,PT,L]
</IfModule>

# Disable directory listing
Options -Indexes

# Protect files and directories starting with a dot
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>