# Block direct access to config file
<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>

# CORS headers for API endpoints
<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "https://superfice.de"
    Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type"
    Header always set Access-Control-Max-Age "86400"
</IfModule>

# Handle OPTIONS preflight
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [R=204,L]

# PHP settings
php_flag display_errors Off
php_flag log_errors On