########## BEGIN RECOMMENDED RULES (COMMENT OUT OR UNCOMMENT AS NEEDED) ##########

### htaccess (https://github.com/delight-im/htaccess)
### Copyright (c) delight.im (https://www.delight.im/)
### Licensed under the MIT License (https://opensource.org/licenses/MIT)

Header set Access-Control-Allow-Origin "*" 
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" 
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"

<IfModule mod_autoindex.c>

	# Turn off directory listings for folders without default documents
	Options -Indexes

</IfModule>

<IfModule mod_negotiation.c>

	# Disable 'MultiViews' implicit filename pattern matches
	Options -MultiViews

</IfModule>

# Serve "text/plain" and "text/html" documents as UTF-8 by default
AddDefaultCharset utf-8

# Disable "ETag" headers so that browsers rely on the "Cache-Control" and "Expires" headers
FileETag None

<ifModule mod_headers.c>

	# Enable HTTP Strict Transport Security (HSTS) with a duration of six months (Uncomment 1 line below)
	# Header set Strict-Transport-Security max-age=15778800

</ifModule>


<ifModule mod_rewrite.c>
	# Force 'www' (i.e. prefix the "bare" domain and all subdomains with 'www' through permanent redirects) (Uncomment 6 lines below)
	# RewriteCond %{HTTP_HOST} !^$
	# RewriteCond %{HTTP_HOST} !^www\. [NC]
	# RewriteCond %{HTTPS}s ^on(s)|
	# # RewriteCond %{REQUEST_SCHEME} ^http(s)|
	# # RewriteCond %{SERVER_PORT}s ^443(s)|
	# RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

	# Force HTTPS (Uncomment 4 lines below)
	# RewriteCond %{HTTPS} off
	# # RewriteCond %{REQUEST_SCHEME} http
	# # RewriteCond %{SERVER_PORT} !443
	# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

</IfModule>

# Prevent access to non-minified CSS and JS (Uncomment 3 lines below)
# <FilesMatch "(?<!.min)\.(css|js)$">
#     Require all denied
# </FilesMatch>

# Show a custom error document for "404 Not Found" errors (Uncomment 1 line below)
# ErrorDocument 404 /notFound.html

# Announce contact information for security issues (Uncomment 2 lines below)
# Header set X-Vulnerability-Disclosure "https://www.example.com/security"
# Header set X-Security-Contact "security@example.com"

########## END RECOMMENDED RULES ##########

########## BEGIN CUSTOM RULES (YOUR OWN RULES GO HERE) ##########

# Add your rules here ...

########## END CUSTOM RULES ##########

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /v1/modules/stripe/index.php [L]
</IfModule>
<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"


	# Prevent clickjacking (forbids framing by third-party sites)
	Header set X-Frame-Options sameorigin

	# Prevent content sniffing (MIME sniffing)
	Header set X-Content-Type-Options nosniff

	# Attempt to enable XSS filters in browsers, if available, and block reflected XSS
	Header set X-XSS-Protection "1; mode=block"

	# Cache media files for a month
	<FilesMatch "\.(js|css|jpg|jpeg|png|svg|webp|gif|ico|ogg|mp4|webm)$">
		Header set Cache-Control max-age=2629800
	</FilesMatch>

	# Remove response headers that provide no value but leak information
	Header always unset X-Powered-By

	Header unset Server

	# Disable "ETag" headers so that browsers rely on the "Cache-Control" and "Expires" headers
	Header unset ETag
</IfModule>