# Prevent any script execution in the uploads folder (portable across mod_php,
# PHP-FPM, CGI/FastCGI). Avoids 'php_flag' which 500s on non-mod_php servers.

# 1) Remove PHP handlers if present (ignored safely if module absent)
<IfModule mod_mime.c>
  RemoveHandler .php .phtml .php3 .php4 .php5 .php7 .php8 .pht .phar
  RemoveType .php .phtml .php3 .php4 .php5 .php7 .php8 .pht .phar
</IfModule>

# 2) Block direct requests to any script-like files (Apache 2.4 syntax)
<IfModule mod_authz_core.c>
  <FilesMatch "(?i)\.(php|phtml|php3|php4|php5|php7|php8|pht|phar|cgi|pl|py|asp|aspx|sh)$">
    Require all denied
  </FilesMatch>
</IfModule>

# 3) Fallback for older Apache 2.2 (ignored on 2.4)
<IfModule !mod_authz_core.c>
  <FilesMatch "(?i)\.(php|phtml|php3|php4|php5|php7|php8|pht|phar|cgi|pl|py|asp|aspx|sh)$">
    Order Deny,Allow
    Deny from all
  </FilesMatch>
</IfModule>
