<ifModule mod_headers.c>
  Header always set Access-Control-Allow-Methods "POST, GET, PUT, PATCH, DELETE"
</ifModule>

DirectoryIndex index.php index.html

<IfModule mod_rewrite.c>
  RewriteEngine On

  # PROTECTED DIRECTORIES
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^/?(api|client)/ - [F]

  RewriteRule ^/?data/ - [F]
  RewriteRule ^/?application/ - [F]
  RewriteRule ^/?custom/ - [F]
  RewriteRule ^/?vendor/ - [F]
  RewriteRule ^/?client/?$ - [F]
  #END PROTECTED DIRECTORIES

  RewriteRule .* - [E=HTTP_ESPO_CGI_AUTH:%{HTTP:Authorization}]

  RewriteRule reset/?$ reset.html [QSA,L]
</IfModule>