# Block direct access to config file
<Files "telegram-config.php">
  Require all denied
</Files>

# Allow CORS only from your domain
<IfModule mod_headers.c>
  SetEnvIf Origin "^https://(www\.)?yourdomain\.com$" ORIGIN=$0
  Header always set Access-Control-Allow-Origin %{ORIGIN}e env=ORIGIN
  Header always set Access-Control-Allow-Methods "POST, OPTIONS"
  Header always set Access-Control-Allow-Headers "Content-Type"
  Header always set Access-Control-Max-Age "86400"
  
  # Handle preflight requests
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} OPTIONS
  RewriteRule ^(.*)$ $1 [R=204,L]
</IfModule>