# rac-config.php and rac-secrets.php should never be requested
# directly over HTTP — they are only ever loaded via require_once
# from other PHP files. rac-secrets.php in particular contains the
# console password and session salt in plaintext; if this server
# were ever misconfigured to serve .php files as raw text instead
# of executing them (rare, but not impossible on a broken host),
# this is the backstop that prevents that from leaking secrets.
#
# rac-ingest.php is intentionally NOT blocked here — it is the
# beacon endpoint and must remain reachable directly.
<FilesMatch "^rac-(config|secrets)\.php$">
    Require all denied
</FilesMatch>
