Options -Indexes
# Block direct access to PHP config and internal files
Require all denied
RewriteEngine On
RewriteBase /
# Skip rewrite if file physically exists
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# API routing
RewriteRule ^api/auth/?$ api/auth.php [QSA,L]
RewriteRule ^api/streamers/?$ api/streamers.php [QSA,L]
RewriteRule ^api/live/?$ api/live.php [QSA,L]
RewriteRule ^api/comments/?$ api/comments.php [QSA,L]
RewriteRule ^api/oauth/?$ api/oauth.php [QSA,L]
RewriteRule ^api/settings/?$ api/settings.php [QSA,L]
RewriteRule ^api/moderators/?$ api/moderators.php [QSA,L]
RewriteRule ^api/rater_groups/?$ api/rater_groups.php [QSA,L]
RewriteRule ^api/community_ratings/?$ api/community_ratings.php [QSA,L]
# Security headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "ALLOW-FROM https://nb.garoshi.eu https://naughtybulldogs.eu"
Header always set Content-Security-Policy "frame-ancestors 'self' https://nb.garoshi.eu https://naughtybulldogs.eu"
Header always set Referrer-Policy "strict-origin-when-cross-origin"