# Block PHP execution in uploads directory
# Prevents uploaded files from being executed as PHP

<FilesMatch "\.(php|php3|php4|php5|php7|phtml|pl|py|cgi|asp|aspx|sh|bash)$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
  </IfModule>
</FilesMatch>

# Allow only image files
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteCond %{REQUEST_FILENAME} !\.(?:jpg|jpeg|png|gif|webp|svg|ico)$ [NC]
  RewriteRule . - [F,L]
</IfModule>

Options -Indexes -ExecCGI
