# -----------------------------
# PRODUCTION-READY UPLOADS SECURITY
# -----------------------------

# 1️⃣ Prevent PHP execution
<FilesMatch "\.(php|phtml|php5|phps|cgi|pl|py|asp|aspx|exe|sh)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Remove any handlers that could execute scripts
RemoveHandler .php .phtml .php5 .phps .cgi .pl .py .asp .aspx
RemoveType .php .phtml .php5 .phps .cgi .pl .py .asp .aspx

# 2️⃣ Prevent directory listing
Options -Indexes

# 3️⃣ Restrict file types (only images can be served)
<FilesMatch "\.(jpg|jpeg|png|gif|webp)$">
    Require all granted
</FilesMatch>

# 4️⃣ Deny access to hidden files (like .htaccess, .env, etc.)
<FilesMatch "^\.">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# 5️⃣ Optional: add caching for images (speeds up site)
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
</IfModule>

# 6️⃣ Optional: security headers for files served
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>
