# Enable CORS for all resources
Header set Access-Control-Allow-Origin "*"

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.html$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.html [L]
</IfModule>

<IfModule mod_headers.c>
    # X-Frame-Options to prevent clickjacking
    Header always set X-Frame-Options "DENY"

    # Content Security Policy (CSP)
    Header always set Content-Security-Policy "
        default-src 'self';
        script-src 'self' 
            https://*.snapchat.com 
            https://sc-static.net 
            https://*.moyasar.com 
            https://www.googletagmanager.com 
            https://www.google-analytics.com 
            https://polyfill.io 
            https://cdnjs.cloudflare.com 
            https://applepay.cdn-apple.com 
            'unsafe-inline' 'unsafe-eval';
        style-src 'self' 
            https://*.snapchat.com 
            https://*.moyasar.com 
            https://fonts.googleapis.com 
            'unsafe-inline';
        img-src * data: blob:;
        font-src 'self' https://fonts.gstatic.com;
        object-src 'none';
        frame-ancestors 'none'
    "

    # HTTP Strict Transport Security (HSTS)
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    # X-Content-Type-Options to prevent MIME-type sniffing
    Header always set X-Content-Type-Options "nosniff"

    # X-XSS-Protection to enable the cross-site scripting filter
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
