Options -Indexes

# Deny execution of scripts in the uploads directory
<FilesMatch "\.(php|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
  Require all denied
</FilesMatch>

# Allow images and static assets to be served
<IfModule mod_headers.c>
  <FilesMatch "\.(jpg|jpeg|png|webp|gif)$">
    Header set Cache-Control "max-age=604800, public"
  </FilesMatch>
</IfModule>
