Options -Indexes
RewriteEngine On

# Serve uploads directly (static files)
RewriteCond %{REQUEST_URI} ^/uploads/
RewriteRule ^ - [L]

# Route everything else through index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]

# CORS headers for all responses
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "Authorization, Content-Type, X-Session-Id"
Header always set Access-Control-Max-Age "86400"
