# Block direct access to ALL PHP files in config folder (including index.php)
<FilesMatch "\.(php|inc)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Alternative method for Apache 2.4+
<IfModule mod_authz_core.c>
    <FilesMatch "\.(php|inc)$">
        Require all denied
    </FilesMatch>
</IfModule>

# Prevent directory listing
Options -Indexes

# Additional security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "DENY"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>
