# Prevent direct access to uploaded files
Options -Indexes
Options -ExecCGI

# Deny access to PHP files
<FilesMatch "\.(php|php\d|phtml|pl|py|jsp|asp|htm|html|cgi)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Allow access to images and documents only
<FilesMatch "\.(jpg|jpeg|png|gif|bmp|webp|pdf|doc|docx|xls|xlsx|txt)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

# Set security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set Content-Security-Policy "default-src 'none'; img-src 'self'; media-src 'self';"
</IfModule>

# Block hotlinking (uncomment for production)
# RewriteEngine On
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain.com [NC]
# RewriteRule \.(jpg|jpeg|png|gif|pdf)$ - [F,L]