# Protect sensitive files
<FilesMatch "^(config\.php|sheet_helpers\.php|.*\.json|.*\.log|^\..*|README\.md)">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Prevent directory listing
Options -Indexes

# Allow access to specific public files if needed, but the above rule is specific enough.
# The above rule blocks:
# - config.php
# - sheet_helpers.php
# - Any .json file (data.json, sheets/*.json)
# - Any .log file (activity.log)
# - Any hidden file (.git, .DS_Store)

# Ensure index.php is the default index
DirectoryIndex index.php
