# Deny all access to uploads directory
# Only allow access through application-controlled downloads

# Prevent directory browsing
Options -Indexes

# Deny all direct access
Require all denied

# Prevent PHP execution in uploads
<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

# Prevent access to executable files
<FilesMatch "\.(pl|py|jsp|asp|sh|cgi)$">
    Require all denied
</FilesMatch>

# Prevent access to hidden files
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Security headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
