# tajdid-api/.htaccess
# Apache-level CORS — sent on EVERY response including PHP 500 errors,
# so the browser never sees a missing Access-Control-Allow-Origin header.

<IfModule mod_headers.c>
    # Allow the two production origins + localhost for dev
    SetEnvIf Origin "^https?://(www\.)?tajdidcorporation\.com\.my$" CORS_ORIGIN=$0
    SetEnvIf Origin "^https?://(www\.)?tajdid\.com\.my$"            CORS_ORIGIN=$0
    SetEnvIf Origin "^http://localhost(:[0-9]+)?$"                   CORS_ORIGIN=$0
    SetEnvIf Origin "^http://127\.0\.0\.1(:[0-9]+)?$"               CORS_ORIGIN=$0

    Header always set   Access-Control-Allow-Origin    "%{CORS_ORIGIN}e"  env=CORS_ORIGIN
    Header always set   Access-Control-Allow-Methods   "GET, POST, PUT, DELETE, OPTIONS"
    Header always set   Access-Control-Allow-Headers   "Content-Type, Accept, Authorization, X-Admin-Key"
    Header always set   Access-Control-Expose-Headers  "Retry-After"
    Header always set   Access-Control-Allow-Credentials "true"
</IfModule>

# Handle OPTIONS preflight at Apache level (no PHP needed)
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^ - [R=204,L]

# PHP error display OFF in production (prevents HTML bleeding into JSON)
php_flag  display_errors off
php_value error_reporting 0
