# Block direct browser access to this directory.
# PHP files are only reachable via fetch() / XHR from the app.
Options -Indexes
<FilesMatch "\.(php)$">
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
</FilesMatch>

# Deny access to config.php entirely — even from PHP includes is fine,
# but no direct HTTP request should ever reach it.
<Files "config.php">
    Order Allow,Deny
    Deny from all
</Files>
