3 files changed, 14 insertions, 9 deletions

diff --git a/.htaccess.dist b/.htaccess.dist
index 18475b849..33f794673 100644
--- a/.htaccess.dist
+++ b/.htaccess.dist
@@ -1,7 +1,12 @@
 # Copy this file to `.htaccess` for additional root-level protection
 # if you cannot set Apache `DocumentRoot` to `./p/` as recommended.
 
-# Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions
-<FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
+# Deny files starting with a dot or without extension or with specific extensions
+<FilesMatch "^\.|^[^.]+$|\.(config\.js|gz|json|md|neon|sqlite|xml|ya?ml|zip)$">
 	Require all denied
 </FilesMatch>
+
+# Deny some sub-folders, which may not be excluded by their own .htaccess
+<If "%{REQUEST_URI} =~ m#/(bin|data|node_modules|vendor|\..+)(/|$)#">
+	Require all denied
+</If>
diff --git a/p/.htaccess b/p/.htaccess
index 40dd7e51f..70bc34710 100644
--- a/p/.htaccess
+++ b/p/.htaccess
@@ -1,10 +1,3 @@
-<IfModule mod_authz_core.c>
-	# Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions
-	<FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
-		Require all denied
-	</FilesMatch>
-</IfModule>
-
 <IfModule mod_dir.c>
 	DirectoryIndex	index.php index.html
 </IfModule>
diff --git a/p/themes/.htaccess b/p/themes/.htaccess
index 0e78aab3a..42732cd38 100644
--- a/p/themes/.htaccess
+++ b/p/themes/.htaccess
@@ -1,3 +1,10 @@
+<IfModule mod_authz_core.c>
+	# Deny files without extension or with specific extensions
+	<FilesMatch "^[^.]+$|\.(json|md|scss|sh)$">
+		Require all denied
+	</FilesMatch>
+</IfModule>
+
 <IfModule mod_mime.c>
 	AddType font/woff .woff
 	AddType font/woff2 .woff2