diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000000..a88faa7f13
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,15 @@
+# disable directory listing
+Options -Indexes
+
+# disable file serving (Apache 2.4)
+<IfModule mod_authz_core.c>
+  Require all denied
+</IfModule>
+
+# disable file serving (Apache 2.2)
+<IfModule !mod_authz_core.c>
+  <IfModule mod_authz_host.c>
+    Order deny,allow
+    Deny from all
+  </IfModule>
+</IfModule>
diff --git a/assets/.htaccess b/assets/.htaccess
new file mode 100644
index 0000000000..117f7eb8dd
--- /dev/null
+++ b/assets/.htaccess
@@ -0,0 +1,12 @@
+# enable file serving (Apache 2.4)
+<IfModule mod_authz_core.c>
+  Require all granted
+</IfModule>
+
+# enable file serving (Apache 2.2)
+<IfModule !mod_authz_core.c>
+  <IfModule mod_authz_host.c>
+    Order allow,deny
+    Allow from all
+  </IfModule>
+</IfModule>