Options -Indexes
RewriteEngine On
RewriteBase /

# ── Seguridad: denegar acceso directo a config ──────────────────
<FilesMatch "config\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ── Página raíz ─────────────────────────────────────────────────
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^$              index.php     [L]
RewriteRule ^login$         login.php     [L,QSA]
RewriteRule ^dashboard$     dashboard.php [L,QSA]

# ── API routes (estilo Flask, sin .php) ─────────────────────────
RewriteRule ^api/login$                    api/login.php              [L,QSA]
RewriteRule ^api/logout$                   api/logout.php             [L,QSA]
RewriteRule ^api/indicators$               api/indicators.php         [L,QSA]
RewriteRule ^api/localidades/([0-9]+)$     api/localidades.php?id=$1  [L,QSA]
RewriteRule ^api/localidades$              api/localidades.php        [L,QSA]
RewriteRule ^api/users/([0-9]+)$           api/users.php?id=$1        [L,QSA]
RewriteRule ^api/users$                    api/users.php              [L,QSA]
RewriteRule ^api/data/([0-9]+)$            api/data.php?id=$1         [L,QSA]
RewriteRule ^api/data$                     api/data.php               [L,QSA]
RewriteRule ^api/metas$                    api/metas.php              [L,QSA]
RewriteRule ^api/linea_base$               api/linea_base.php         [L,QSA]
RewriteRule ^api/report$                   api/report.php             [L,QSA]
RewriteRule ^api/formato_p_data$           api/formato_p_data.php     [L,QSA]
RewriteRule ^api/formato_p_pdf$            api/formato_p_pdf.php      [L,QSA]
RewriteRule ^api/info$                     api/info.php               [L,QSA]
RewriteRule ^api/audit$                    api/audit.php              [L,QSA]

# ── Headers de seguridad ─────────────────────────────────────────
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
</IfModule>

# ── PHP config ───────────────────────────────────────────────────
<IfModule mod_php.c>
    php_value session.gc_maxlifetime 28800
    php_value session.cookie_httponly 1
</IfModule>
