RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^api/create-order$ api/create_order.php [L,QSA]
RewriteRule ^api/create-payment$ api/create_payment.php [L,QSA]
RewriteRule ^api/check-status$ api/check_status.php [L,QSA]
RewriteRule ^api/verify-payment$ api/verify_payment.php [L,QSA]
RewriteRule ^pay/([a-f0-9]+)$ pay.php?token=$1 [L,QSA]
RewriteRule ^callback$ callback.php [L,QSA]

<IfModule mod_headers.c>
    Header always set X-Frame-Options "DENY"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

<FilesMatch "\.(md|txt)$">
    Require all denied
</FilesMatch>
