# ---- Disable directory listing and execution ----
Options -Indexes -ExecCGI

# ---- Block execution of common script/source file extensions ----
<IfModule mod_authz_core.c>
    <FilesMatch "\.(php|phtml|php3|php4|php5|phar|pl|py|jsp|sh|cgi)$">
        Require all denied
    </FilesMatch>
</IfModule>
<IfModule !mod_authz_core.c>
    <FilesMatch "\.(php|phtml|php3|php4|php5|phar|pl|py|jsp|sh|cgi)$">
        Deny from all
    </FilesMatch>
</IfModule>

# ---- Treat script files as plain text as extra protection (if mod_mime enabled) ----
<IfModule mod_mime.c>
    RemoveType .php .phtml .php3 .php4 .php5 .phar
    AddType text/plain .php .phtml .php3 .php4 .php5 .phar
</IfModule>

# ---- Prevent some handlers (suPHP/CGI/FCGId) from executing in this folder ----
<IfModule mod_suphp.c>
    suPHP_Engine off
</IfModule>

# Try to disable action handlers (defensive, may be ignored on some hosts)
<IfModule mod_actions.c>
    Action php-script /no-such-handler
</IfModule>

# ---- Security headers (optional but recommended) ----
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# ---- Deny access to hidden files like .htaccess, .env, dsb. ----
<FilesMatch "^\.">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Deny from all
</IfModule>
</FilesMatch>

# ---- Optional: block direct access to known sensitive filenames ----
<FilesMatch "^(composer\.(json|lock)|\.env|config\.php|db_config\.php)$">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Deny from all
</IfModule>
</FilesMatch>