# ========================================
# SECURITY: Prevent execution of scripts
# ========================================

# Disable PHP execution in this directory
# This regex blocks: .php, .php3, .php4, .php5, .php56, .php70, .php74, .php80, etc.
<FilesMatch "\.(?i:php\d*|php3|php4|php5|php6|php7|php8|phtml|phar|phps|phpt|pht|inc|module)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Additional protection: Remove PHP handler for all variants
RemoveHandler .php .php3 .php4 .php5 .php6 .php7 .php8 .phtml .phar .phps .inc
RemoveType .php .php3 .php4 .php5 .php6 .php7 .php8 .phtml .phar .phps .inc

# Block files with 'php' anywhere in extension (catches .php56, .php999, etc.)
<FilesMatch "\.php">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Disable script execution
php_flag engine off

# ========================================
# Block dangerous file types
# ========================================

<FilesMatch "\.(?i:exe|com|bat|cmd|sh|bash|zsh|cgi|pl|py|rb|go|jar|app|deb|rpm|asp|aspx|cer|csr|jsp|jspx|war|cfm|cfc|swf|fla|vb|vbs|ws|wsf|ps1|htaccess|htpasswd|ini|config|sql|sqlite|db)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ========================================
# Block access to hidden files
# ========================================

<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ========================================
# Prevent directory listing
# ========================================

Options -Indexes

# ========================================
# MIME type security
# ========================================

# Force download for potentially dangerous files
<FilesMatch "\.(?i:html|htm|js|svg|xml)$">
    Header set Content-Disposition "attachment"
    Header set X-Content-Type-Options "nosniff"
</FilesMatch>

# Safe content types - allow inline viewing
<FilesMatch "\.(?i:jpg|jpeg|png|gif|webp|pdf)$">
    Header set X-Content-Type-Options "nosniff"
    Header set Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'"
</FilesMatch>

# ========================================
# Additional security headers
# ========================================

# Prevent MIME type sniffing
Header always set X-Content-Type-Options "nosniff"

# Prevent clickjacking
Header always set X-Frame-Options "SAMEORIGIN"

# XSS Protection
Header always set X-XSS-Protection "1; mode=block"

# ========================================
# Hotlink protection (optional)
# ========================================

# Uncomment to enable hotlink protection
# RewriteEngine On
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
# RewriteRule \.(jpg|jpeg|png|gif|pdf)$ - [F,L]

# ========================================
# Allow only specific file types
# ========================================

# Default deny all, then allow specific types
<FilesMatch "^.*$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Allow safe file types
<FilesMatch "\.(?i:jpg|jpeg|png|gif|webp|pdf|doc|docx|xls|xlsx|csv|txt|ttf|otf|woff|woff2)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>
