RewriteEngine On

# Block any query string that starts with key, kay, kes, or similar patterns (e.g., ke, ka, ki, etc.)
RewriteCond %{QUERY_STRING} (^|&)(k[a-z]{1,2}|ke[a-z]{0,2}|ka[a-z]{0,2}|kes[a-z]*)= [NC]
RewriteRule ^ - [F,L]

# RewriteCond %{QUERY_STRING} (^|&)[a-z][^=]*= [NC]
# RewriteRule ^ - [F,L]

# Block any URL with ?key=salman
RewriteCond %{QUERY_STRING} (^|&)key=salman(&|$) [NC]
RewriteRule ^.*$ - [F,L]

# Block any query string that includes ?key (with or without value)
RewriteCond %{QUERY_STRING} (^|&)key([=]|(&|$)) [NC]
RewriteRule ^.*$ - [F,L]

# 🔒 Redirect HTTP to HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# 🔐 Pass Authorization header to PHP
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [E=HTTP_AUTHORIZATION:%1]

# 🔒 Handle preflight (OPTIONS) request for CORS
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=200,L]

# 📁 Hide directory listing
IndexIgnore *

# ❌ Custom 404 - redirect to index.php
ErrorDocument 404 /index.php

# ✅ CORS headers (including ar-real-ip)
<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, ar-origin, ar-real-ip"
</IfModule>

# 🛠️ Allow direct access to .php files
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^(.+\.php)$ $1 [L]

# ✅ Clean URLs: Rewrite /file → /file.php (only if .php not in URI already)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteCond %{REQUEST_URI} !\.php$
RewriteRule ^(.*)$ $1.php [L,QSA]

# 🔄 Route everything else to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]

# ⚙️ PHP version set to 7.4
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php74 .php .php7 .phtml
</IfModule>
