# Uploaded user content — never execute, never inline-render; download only.
# NOTE: .htaccess is Apache-only. On nginx / AllowOverride None this file is
# ignored — the real, server-independent guard is the PHP upload denylist
# (functions.php: upload_has_dangerous_extension). See docs/nginx.conf.
php_flag engine off
<IfModule mod_php.c>
  php_admin_flag engine off
</IfModule>
RemoveHandler .php .phtml .phtm .php3 .php4 .php5 .php6 .php7 .php8 .phps .pht .phar
RemoveType .php .phtml .phtm .php3 .php4 .php5 .php6 .php7 .php8 .phps .pht .phar
<FilesMatch "(?i)\.(php|phtml|phtm|php[0-9]|phps|pht|phar|cgi|fcgi|pl|py|rb|sh|asp|aspx|jsp|hta|htaccess|htpasswd|svg|svgz|xht|xhtml|s?html?|xml)$">
  Require all denied
</FilesMatch>
# Defense-in-depth: stop MIME sniffing and force download, so anything that
# slips through cannot run as HTML/JS in this origin.
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set Content-Disposition "attachment"
</IfModule>
Options -ExecCGI -Indexes
