Whitelist urls instead of blacklist

.htaccess

@@ -12,19 +12,16 @@
     RewriteEngine On
     RewriteBase /
 
-    # Deny access to framework directories
-    RewriteRule ^(app|bootstrap|config|database|resources|storage|tests|vendor|node_modules)/ - [R=404,L,NC]
-
-    # And dot files/folders (for example .env)
-    RedirectMatch 404 /\..*$
-
     # Redirect Trailing Slashes...
     RewriteRule ^(.*)/$ /$1 [L,R=301]
 
+    # Whitelist only index.php, robots.txt, and those start with public/ or api/
+    RewriteRule ^(?!($|index\.php|robots\.txt|(public|api)/)) - [R=404,L]
+
     # Handle Front Controller...
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteCond %{REQUEST_FILENAME} !-f
-    RewriteRule ^ index.php [L]
+    RewriteRule .* index.php [L]
 
     # https://github.com/tymondesigns/jwt-auth/wiki/Authentication
     RewriteCond %{HTTP:Authorization} ^(.*)

nginx.conf.example

@@ -4,14 +4,9 @@ server {
   root          /var/www/koel;
   index         index.php;
 
-  # Deny access to dotfiles
-  location ~ /\. {
-    deny        all;
-  }
-
-  # Deny access to framework directories
-  location ~ /(app|bootstrap|config|database|resources|storage|tests|vendor|node_modules)/ {
-    deny        all;
+  # Whitelist only index.php, robots.txt, and those start with public/ or api/
+  if ($request_uri !~ ^/$|index\.php|robots\.txt|api/|public/) {
+    return 404;
   }
 
   location /media/ {