RewriteEngine On

# Block sensitive files (Apache 2.4+)
<Files ".env">
    Require all denied
</Files>
<Files ".env.example">
    Require all denied
</Files>
<Files "backup.sh">
    Require all denied
</Files>
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Force HTTPS (skip when terminated TLS is forwarded — Traefik, Caddy, NPM, …)
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !^https$ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# API routing
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api/index.php?action=$1&%{QUERY_STRING} [L,QSA]
AddType application/x-x509-ca-cert .crt

# Prevent caching of JS/CSS so kiosk always gets fresh files
<FilesMatch "\.(js|css)$">
    Header set Cache-Control "no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "0"
</FilesMatch>