# Prevent uploaded files from executing as server-side scripts.
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .php5 .phtml .phar .pl .py .pyc .pyo .jsp .asp .aspx .cgi .sh .bash

<FilesMatch "\.(php|php[0-9]?|phtml|phar|pl|py|pyc|pyo|jsp|asp|aspx|cgi|sh|bash)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

<FilesMatch "^\.">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
</IfModule>
