# Serve index.html (then index.php) as the default page
DirectoryIndex index.html index.php

# Turn off directory listing so visitors can't browse your files
Options -Indexes

# Keep the bookings data file private (only the PHP scripts may read it)
<Files "bookings.json">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</Files>