# Block direct web access to non-public folders (defence in depth).
RedirectMatch 403 ^/?(app|sql|storage|vendor)(/|$)
<FilesMatch "^(config|config\.sample)\.php$">
  Require all denied
</FilesMatch>
