# Deny all direct web access to the Include/ directory.
#
# This directory holds install-time configuration (Config.php and the
# JSON values file that feeds ConfigLoader), plus other bootstrap
# scripts. None of it should ever be served directly — the files are
# only consumed by PHP includes from the application's entry points.
#
# See GHSA-mp2w-4q3r-ppx7 for the motivating security context.

<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
