# Protection de l'API
RewriteEngine On

# Bloquer l'accès direct aux fichiers sensibles
<Files ~ "\.(env|log|sql)$">
    Deny from all
</Files>

# Forcer HTTPS en production
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Headers de sécurité
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Limiter les méthodes HTTP autorisées
RewriteCond %{REQUEST_METHOD} !^(GET|POST|OPTIONS)$
RewriteRule .* - [R=405,L]