# Security: never execute uploaded files; serve as static content only.
php_flag engine off
AddType application/octet-stream .php .phtml .phar .pl .py .cgi .asp .sh
<FilesMatch "\.(php|phtml|phar|pl|py|cgi|asp|sh|htaccess)$">
    Require all denied
</FilesMatch>
Options -Indexes -ExecCGI
