Secure file permissions - post-install

Hi there,
I have just installed Xibo manually on Apache and Ubuntu 22.04 and after a bit of playing around got things to work.

One thing I found whilst installing though, was that so many different files and folders were requesting the webserver user have right access to them, it was easier to change ownership of all of the xibo files to www-data. This allowed the install to go through seamlessly, however I would now like to harden the install up a little.

Which files and folders does the webserver need write access to and am I then able to change ownership of everything else back to my root account so that the webserver user does not have write access to them?