Vorapsak’s answer is almost correct. It’s actually

order allow,deny
<Files ~ "\.(js|sql)$">
   allow from all
</Files>

You need the order directive at the top (and you don’t need anything else).

The interesting thing is, it seems we can’t just negate the regex in FilesMatch, which is… weird, especially since the “!” causes no server errors or anything. Well, duh.

and a bit of explanation:

The order cause tells the server about its expected default behaviour. The

 order allow,deny

tells the server to process the “allow” directives first: if a request matches any allow directive, it’s marked as okay. Then the “deny” directives are evaulated: if a request matches any deny directives, it’s denied (it doesn’t matter if it was allowed in the first pass). If no matches were found, the file is denied.

The directive

 order deny,allow

works the opposite way: first the server processes the “deny” directives: if a request matches, it’s marked to be denied. Then the “allow” directives are evaulated: if a request matches an allow directive, it’s allowed in, even if it matches a deny directive earlier. If a request matches nothing, the file is allowed.

In this specific case, the server first tries to match the allow directives: it sees that js and sql files are allowed, so a request to foo.js goes through; a request to bar.php matches no directives, so it’s denied.

If we swap the directive to “order deny,allow”, then foo.js will go through (for being a js), and bar.php will also go through, as it matches no patterns.

oh and, one more thing: directives in a section (i.e. < Files> and < Directory>) are always evaulated after the main body of the .htaccess file, overwriting it. That’s why Vorapsak’s solution did not work as inteded: the main .htaccess denied the request, then the < Files> order was processed, and it allowed the request.

Htaccess is magic of the worst kind, but there’s logic to it.