If the remote user knows the exact location of the file, he will still be able to access the file from a browser. How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes). So if there are ‘special files’ that you want to not be served in any case to remote users then you will have to deny access to them. But the question is HOW?
Inside my .htaccess file in my webroot folder:
<FilesMatch "\.(js|css)$">
Order deny,allow
Allow from all
</FilesMatch>
But that doesn't seems to work.. :-(
I'm using Apache 2.2
Your code looks pretty different from the code found here. What about trying:
<Files ~ "(.js|.css)">
Order allow,deny
Deny from all
</Files>
If you are using version Apache 2.4 or higher
<Files ~ "(.js|.css)">
Require all denied
</Files>