# Disable directory listing
Options -Indexes

# Prevent execution of scripts in uploads (deny access to PHP/perl/python/etc)
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|aspx|sh|cgi)$">
    Require all denied
</FilesMatch>

# Serve common web-safe types; if server tries to execute as script, force download/plain text
<IfModule mod_mime.c>
    # Ensure images and media served normally
    AddType image/jpeg .jpg .jpeg
    AddType image/png .png
    AddType image/gif .gif
    AddType image/webp .webp
    AddType video/mp4 .mp4
    AddType video/webm .webm
    # For safety, treat unknown files as binary
</IfModule>

# Cache control for uploaded static assets (optional)
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 7 days"
    ExpiresByType image/jpeg "access plus 7 days"
    ExpiresByType image/png "access plus 7 days"
    ExpiresByType image/gif "access plus 7 days"
    ExpiresByType image/webp "access plus 7 days"
    ExpiresByType video/mp4 "access plus 7 days"
</IfModule>