# ----------------------------------------------------------------------
# Security & Access Control for API
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # 1. Check: Is the request specifically for 'api.php'?
    RewriteCond %{REQUEST_URI} api\.php [NC]

    # 2. Check: Is the request coming from an unknown source?
    # (Checking if Referer is NOT your allowed domain)
    RewriteCond %{HTTP_REFERER} !^https?://(www\.)?breakingnewstoday\.com [NC]

    # 3. Action: If both above are true, BLOCK the request (Send 403 Forbidden)
    RewriteRule ^ - [F,L]
</IfModule>

# ----------------------------------------------------------------------
# CORS Headers (Optional but Recommended for Cross-Domain)
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
    # Only allow requests from your specific domain
    SetEnvIf Origin "^https?://(www\.)?breakingnewstoday\.com$" ACCESS_CONTROL_ORIGIN=$0
    Header set Access-Control-Allow-Origin %{ACCESS_CONTROL_ORIGIN}e env=ACCESS_CONTROL_ORIGIN
    Header set Access-Control-Allow-Methods "GET"
</IfModule>

# ----------------------------------------------------------------------
# Disable Directory Browsing (Extra Security)
# ----------------------------------------------------------------------
Options -Indexes