# ============================================
# SECURITY: Prevent PHP Execution in Uploads
# ============================================
# This file protects the uploads directory from malicious file execution
# Created by Laravel Security Command

# Disable PHP engine entirely (if mod_php is available)
<IfModule mod_php5.c>
    php_flag engine off
</IfModule>
<IfModule mod_php7.c>
    php_flag engine off
</IfModule>
<IfModule mod_php8.c>
    php_flag engine off
</IfModule>

# Block all PHP file execution (all variations and versions)
<FilesMatch "(?i)\.(php|php2|php3|php4|php5|php6|php7|php8|php53|php54|php55|php56|php57|php70|php71|php72|php73|php74|php75|php80|php81|php82|php83|php84|phtml|phar|phps|phpt|pht|phtm|inc|hphp|ctp|module)$">
    <IfModule mod_authz_core.c>
        # Apache 2.4+
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block shell scripts and executables
<FilesMatch "(?i)\.(sh|bash|zsh|csh|ksh|fish|tcsh|bat|exe|cmd|com|bin|run|out|cgi|pl|py|rb|lua|go|rs)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block ASP/JSP/ColdFusion scripts
<FilesMatch "(?i)\.(asp|aspx|asax|ascx|ashx|asmx|asa|jsp|jspx|jspf|cfm|cfml|cfc)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block server scripts and configs
<FilesMatch "(?i)\.(htaccess|htpasswd|ini|conf|config|cfg|env|git|svn)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block PowerShell scripts
<FilesMatch "(?i)\.(ps1|ps1xml|ps2|ps2xml|psc1|psc2|psm1|psd1|vbs|vbe|js|jse|wsf|wsh)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block compiled/binary files
<FilesMatch "(?i)\.(jar|war|ear|class|dll|so|dylib|o|a|ko|sys)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block database and SQL files
<FilesMatch "(?i)\.(sql|sqlite|sqlite3|db|mdb|accdb)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Block backup files
<FilesMatch "(?i)\.(bak|backup|old|save|orig|tmp|temp|swp|swo|~)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from All
    </IfModule>
</FilesMatch>

# Allow only safe file types (whitelist approach - OPTIONAL, uncomment if you want strict control)
# <FilesMatch "^.*$">
#     <IfModule mod_authz_core.c>
#         Require all denied
#     </IfModule>
# </FilesMatch>
#
# # Then explicitly allow only these safe extensions
# <FilesMatch "(?i)\.(jpg|jpeg|png|gif|svg|webp|bmp|ico|pdf|doc|docx|xls|xlsx|ppt|pptx|txt|csv|zip|rar)$">
#     <IfModule mod_authz_core.c>
#         Require all granted
#     </IfModule>
#     <IfModule !mod_authz_core.c>
#         Order Allow,Deny
#         Allow from All
#     </IfModule>
# </FilesMatch>

# Additional security headers
<IfModule mod_headers.c>
    # Prevent MIME type sniffing
    Header set X-Content-Type-Options "nosniff"

    # Prevent files from being executed as scripts
    Header set Content-Security-Policy "default-src 'self'; script-src 'none'; object-src 'none';"
</IfModule>
