Recommended vhost configuration for Magento sites. All web users are granted access, except to the app folder which contains framework configuration. AllowOverride should grant only enough access as is required, so edit that line as necessary.

httpd.conf

<VirtualHost *:80>
  ServerName magento.local

  DocumentRoot /var/www/magento
  
  <Directory /var/www/magento>
    Require all granted
    AllowOverride FileInfo Indexes Options Limit
  </Directory>
</VirtualHost>

Even though Magento recommends setting AllowOverride All, you should be wary of allowing a web app to do anything at all, as opposed to only what it is expecting to do. This is why they recommend letting the web server process owner only write to specific directories.

Earlier, the config was denying the entire /var/www/magento/app folder, but I have since learned that the .htaccess files throughout the site already deny access to the places it wishes to restrict, and so it is important to allow the right overrides, as well as Options FollowSymLinks if it is not on. The Limit directive type allows the Allow, Order, and Deny directives. If Magento starts using Require, you'd want to allow AuthConfig.