uploads/.htaccess

# Deny direct access to uploaded files
# All downloads must go through download_attachment.php

<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>

# Disable script execution
<IfModule mod_php.c>
    php_flag engine off
</IfModule>

# Prevent directory listing
Options -Indexes

# Block common executable extensions
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|phar|cgi|pl|py|sh|bash|exe|com|bat|cmd|vbs|js|html|htm|asp|aspx|jsp)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>
Implement comprehensive improvement plan (Phases 1-6) Security (Phase 1-2): - Add SecurityHeadersMiddleware with CSP, X-Frame-Options, etc. - Add RateLimitMiddleware for API rate limiting - Add security event logging to AuditLogModel - Add ResponseHelper for standardized API responses - Update config.php with security constants Database (Phase 3): - Add migration 014 for additional indexes - Add migration 015 for ticket dependencies - Add migration 016 for ticket attachments - Add migration 017 for recurring tickets - Add migration 018 for custom fields Features (Phase 4-5): - Add ticket dependencies with DependencyModel and API - Add duplicate detection with check_duplicates API - Add file attachments with AttachmentModel and upload/download APIs - Add @mentions with autocomplete and highlighting - Add quick actions on dashboard rows Collaboration (Phase 5): - Add mention extraction in CommentModel - Add mention autocomplete dropdown in ticket.js - Add mention highlighting CSS styles Admin & Export (Phase 6): - Add StatsModel for dashboard widgets - Add dashboard stats cards (open, critical, unassigned, etc.) - Add CSV/JSON export via export_tickets API - Add rich text editor toolbar in markdown.js - Add RecurringTicketModel with cron job - Add CustomFieldModel for per-category fields - Add admin views: RecurringTickets, CustomFields, Workflow, Templates, AuditLog, UserActivity - Add admin APIs: manage_workflows, manage_templates, manage_recurring, custom_fields, get_users - Add admin routes in index.php Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-20 09:55:01 -05:00			`# Deny direct access to uploaded files`
			`# All downloads must go through download_attachment.php`

			`<IfModule mod_authz_core.c>`
			`Require all denied`
			`</IfModule>`

			`<IfModule !mod_authz_core.c>`
			`Order deny,allow`
			`Deny from all`
			`</IfModule>`

			`# Disable script execution`
			`<IfModule mod_php.c>`
			`php_flag engine off`
			`</IfModule>`

			`# Prevent directory listing`
			`Options -Indexes`

			`# Block common executable extensions`
			`<FilesMatch "\.(php\|phtml\|php3\|php4\|php5\|php7\|phps\|phar\|cgi\|pl\|py\|sh\|bash\|exe\|com\|bat\|cmd\|vbs\|js\|html\|htm\|asp\|aspx\|jsp)$">`
			`<IfModule mod_authz_core.c>`
			`Require all denied`
			`</IfModule>`
			`<IfModule !mod_authz_core.c>`
			`Order deny,allow`
			`Deny from all`
			`</IfModule>`
			`</FilesMatch>`