# Block direct access to PHP includes that should never be requested in the browser.
<FilesMatch "^(config|bootstrap|db)\.php$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>

# Don't list directories
Options -Indexes

# Default document
DirectoryIndex index.php
