# Deny all direct HTTP access to anything in /data
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

# For older Apache (2.2) fallback:
<IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
</IfModule>