# SPA routing + protect SMTP config (Namecheap / Apache)
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  # Never rewrite real files or the API folder
  RewriteRule ^api/ - [L]
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # React Router client routes
  RewriteRule ^ index.html [L]
</IfModule>

# Block direct access to PHP mail secrets
<Files "config.php">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</Files>
