Normally, all files located in the start directory of the domain (and all subdirectories) can be downloaded via a browser.
Access to .php, .html, .css and .js files is essentially required to display the website.
However, there may also be files on the server that are not required. These include backup files, text files, SQL files, most XML files, etc.
With instructions in the .htaccess file in the start directory of the domain, access to such files can always be prevented.
The first example initially prevents access to files with the extensions .xml, .bak, .sql, .php4, .php5, .tgz, .gz, .old and .txt:
<FilesMatch "\.(xml|bak|sql|php4|php5|tgz|gz|old|txt)">
Order Deny,Allow
Deny from all
</FilesMatch>
You can also exclude all files that have a tilde character (~) in the file name:
<FilesMatch "(~)">
Order Deny,Allow
Deny from all
</FilesMatch>
If individual files are to be shared anyway, they can be specified via a "whitelist":
<FilesMatch "(sitemap\.xml|robots\.txt|crossdomain\.xml)$">
Order Deny,Allow
Allow from all
</FilesMatch>
This can be used to block visitors with certain IP addresses:
deny from 123.123.123.123