.htaccess

# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
  <IfModule mod_version.c>
    <IfVersion < 2.4>
      Deny from all
    </IfVersion>
    <IfVersion >= 2.4>
      Require all denied
    </IfVersion>
  </IfModule>
  <IfModule !mod_version.c>
    Deny from all
  </IfModule>
</FilesMatch>

Options -Indexes

<IfModule mod_expires.c>
<IfModule mod_headers.c>
<IfModule mod_env.c>
  <FilesMatch (\.js|\.css)$>
    ExpiresActive On
    # According to RFC 2616, "1 year in the future" means "never expire".
    # We change the name of the file's URL whenever its modification date
    # changes, so browsers can cache any individual JS or CSS URL forever.
    # However, since all JS and CSS URLs involve a ? in them (for the changing
    # name) we have to explicitly set an Expires header or browsers won't
    # *ever* cache them.
    ExpiresDefault "now plus 1 years"
    Header append Cache-Control "public"
  </FilesMatch>

  # This lets Bugzilla know that we are properly sending Cache-Control
  # and Expires headers for CSS and JS files.
  SetEnv BZ_CACHE_CONTROL 1
</IfModule>
</IfModule>
</IfModule>

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteOptions inherit
  RewriteRule ^rest/(.*)$ rest.cgi/$1 [NE]
</IfModule>