Suggest Updating Sample Apache Configuration in readme.md

[kbecker43]

The readme contains a sample Apache Configuration:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule .* index.php [L,QSA]

See https://github.com/bcosca/fatfree#sample-apache-configuration

I'm suggesting this be updated to the Apache config that's actually used in F3:

# Enable rewrite engine and route requests to framework
RewriteEngine On

# Some servers require you to specify the `RewriteBase` directive
# In such cases, it should be the path (relative to the document root)
# containing this .htaccess file
#
# RewriteBase /

RewriteRule ^(tmp)\/|\.ini$ - [R=404]

RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L,QSA]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

The reason being that using the paired down sample apache config in the readme is missing the RewriteRule ^(tmp)\/|\.ini$ - [R=404] which could leave a server open to having .ini files accessible exposing your routes and any variables (which could potentially include database or other credentials).