# Prefer pointing the domain document root to /public.
# If the whole project is inside public_html, protect sensitive directories/files.
<FilesMatch "^(config|config\.example)\.php$">
    Require all denied
</FilesMatch>
RedirectMatch 403 ^/(app|database|storage)/.*$
