RewriteEngine On

# If the requested file or directory exists, serve it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Route everything through the single gateway.php
RewriteRule ^(.*)$ gateway.php [QSA,L]

# Security: deny access to sensitive files
<FilesMatch "\.(env|log|lock|md|gitignore|txt|key)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Security: deny directory listing
Options -Indexes

# CORS
<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, x-api-key"
</IfModule>