# link-menu-system :: deny direct web access to instance-state JSON
#
# config.json (portal) holds the bcrypt admin-credential hash; router-config.json
# (router) holds the four routing URLs. Both are read by PHP from the filesystem,
# so blocking the direct HTTP fetch costs nothing and keeps the hash off the public
# web. This is a mitigation, not the real fix -- see "Security" in INSTALL.md.
#
# Apache / LiteSpeed honor this file; nginx ignores it -- see NGINX.md for the
# equivalent. If Apache is configured "AllowOverride None", this file is ignored
# too (no protection, no warning), so confirm direct fetch is actually blocked.
<FilesMatch "\.json$">
    # Apache 2.4+
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    # Apache 2.2 fallback
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>
