Why CI need defined('BASEPATH') OR exit('No direct script access allowed'); in all files application?
is required add index.html to all folders?
is secure use htaccess for deny application?
<IfModule authz_core_module>
Require all denied
</IfModule>
<IfModule !authz_core_module>
Deny from all
</IfModule>