The following ruleset in Apache 2.4’s vHost or server configuration allows us to only grant access to some specific file extensions. All files not covered by the following rule are not accessible via the web server:
# Restrict access to allowed file extensions <FilesMatch ".+\.(?!(php|css|js|png|jpg|jpeg)$)[^\.]+?$"> Require all denied </FilesMatch>
In this case, we only allow the extensions .php, .css, .js, .png, .jpg and .jpeg. This rule first prevents access to all file types. Then, it explicitly allows access to some files by excluding them from the general rule.
Since these rules will also work in an .htaccess file, full access to the server configuration is not required.