# API Protection - Development Mode
# للإنتاج: فعّل الحماية الكاملة

# Allow all methods during development
Require all granted

# CORS Headers
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type, X-Requested-With"
    Header set Content-Type "application/json; charset=utf-8"
</IfModule>

# Rate Limiting (معطل للتطوير)
# <IfModule mod_ratelimit.c>
#     SetOutputFilter RATE_LIMIT
#     SetEnv rate-limit 400
# </IfModule>

# AJAX Check (معطل للتطوير - فعّله للإنتاج)
# <FilesMatch "\.php$">
#     RewriteEngine On
#     RewriteCond %{HTTP:X-Requested-With} !^XMLHttpRequest$
#     RewriteRule .* - [F,L]
# </FilesMatch>

# Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
</IfModule>