# Uploads are data, never code. Even though the uploader already checks the
# real MIME type and renames every file, this makes sure nothing in here can
# ever be executed if something slips through.

php_flag engine off

<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
</IfModule>

<FilesMatch "\.(php|php3|php4|php5|php7|php8|phtml|phar|cgi|pl|py|sh|htaccess)$">
  Require all denied
</FilesMatch>
