Options +FollowSymLinks -Indexes RewriteEngine On # 404 AND DENY ACCESS TO CORE DIRs RewriteRule "^(src|models|views|controllers|includes|forms|templates|sql|classes|settings|uploads|notes|configs|vendor|node_modules)/(.*)$" "-" [L,R=404] # TRACE and TRACK HTTP methods disabled to prevent XSS attacks RewriteCond "%{REQUEST_METHOD}" "^TRAC[EK]" RewriteRule ".*" "-" [L,R=405] # always send 404 on missing files in these folders RewriteCond "%{REQUEST_FILENAME}" "!-f" RewriteCond "%{REQUEST_FILENAME}" "!-d" RewriteCond "%{REQUEST_FILENAME}" "!-l" RewriteRule "^(assets|skin|js|css|public)/(.*)$" "-" [R=404,L,NS] Order deny,allow Deny from all Order deny,allow Deny from all Order deny,allow Deny from all