<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Gérer les requêtes OPTIONS (CORS preflight)
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]

    # Blocage accès direct aux dossiers sensibles
    RewriteRule ^uploads($|/) - [F,L]
    RewriteRule ^_chunks($|/) - [F,L]

    # Lien court propre : /YnfcF4EXab → preview.php?hash=YnfcF4EXab
    RewriteRule ^([A-Za-z0-9]{10})$ preview.php?hash=$1 [L]

    # Téléchargement direct : /download/YnfcF4EXab → download.php?hash=YnfcF4EXab
    RewriteRule ^download/([A-Za-z0-9]{10})$ download.php?hash=$1 [L]

    # Laisser passer les fichiers et dossiers réels (CSS, JS, asset.php, etc.)
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # Tout le reste → index.php (page d'upload principale)
    RewriteRule ^ index.php [L]
</IfModule>