# ScriptVault - uploads/ security
# Direct PHP execution blocked; only whitelisted extensions allowed

Options -Indexes -ExecCGI

# Block PHP execution
<FilesMatch "\.(php|php3|php4|php5|php7|phtml|pl|py|rb|cgi|sh|asp|aspx)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Allow only these file types to be served
<FilesMatch "\.(sh|bash|py|php\.txt|js|ts|rb|go|rs|sql|ps1|txt|md|yaml|yml|json|toml|conf|cfg|ini|env\.txt|zip\.txt)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

# Prevent MIME sniffing
Header set X-Content-Type-Options "nosniff"
