# Uploaded files are NEVER served directly — only through the authenticated
# PHP download handlers (which readfile() them after a tenant-ownership check).
# Deny all direct HTTP access here as a fallback for hosts without mod_rewrite.
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
</IfModule>

# Disable any script execution inside the uploads directory.
php_flag engine off
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set Content-Disposition "attachment"
</IfModule>
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phar|pl|py|cgi|asp|aspx|sh|exe)$">
    Require all denied
</FilesMatch>
