# Nobody gets to this folder directly over the web.
# download.php reads files off disk with PHP's filesystem functions,
# which is not affected by these rules — only direct URL requests are.

<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
</IfModule>

# Belt and suspenders: even if the block above is ever removed by mistake,
# this stops PHP files in here from running.
php_flag engine off
Options -Indexes -ExecCGI
