# api/.htaccess
Options -Indexes
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY

# Larang akses langsung ke config.php
<Files "config.php">
    Require all denied
</Files>

# CORS preflight
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [R=200,L]
