# Deny ALL direct HTTP access to /storage and any subfolder.
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>

# Defensive: block by extension as well in case of misconfig.
<FilesMatch "\.(enc|key|log|json|php|bak|tmp)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

Options -Indexes
