Block access to all php and phar files that are uploaded into the media folder

.docker/frankenphp/Caddyfile

@@ -51,5 +51,9 @@
 	# Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
 	header ?Permissions-Policy "browsing-topics=()"
 
+	# Prevent PHP execution in the media upload directory
+	@php_in_media path_regexp (?i)^/media/.*\.(php[3-8]?|phar|phtml|pht|phps)$
+	respond @php_in_media 403
+
 	php_server
 }

.docker/symfony.conf

@@ -15,6 +15,14 @@
             AllowOverride All
         </Directory>
 
+        # Prevent PHP execution in the media upload directory (server-level, not .htaccess,
+        # because public/media is a Docker volume and .htaccess there may not be present)
+        <Directory /var/www/html/public/media>
+            <FilesMatch "(?i)\.(php[3-8]?|phar|phtml|pht|phps)$">
+                Require all denied
+            </FilesMatch>
+        </Directory>
+
         # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
         # error, crit, alert, emerg.
         # It is also possible to configure the loglevel for particular