# Deny all access to app directory
Order deny,allow
Deny from all

# Allow access only to specific files if needed
<Files "*.php">
    Order allow,deny
    Deny from all
</Files>

# Exception for API directory (if you have one)
<If "%{REQUEST_URI} =~ m#^/app/api/#">
    Order allow,deny
    Allow from all
</If>