diff --git a/.gitignore b/.gitignore
index 865e848..d1f91d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -43,6 +43,4 @@ compiled/
 /vendors/*
 
 
-.rktsndbx-cache
 data
-pkg-cache
diff --git a/.htaccess b/.htaccess
index 6cd1e2d..6884570 100644
--- a/.htaccess
+++ b/.htaccess
@@ -5,6 +5,8 @@ DirectoryIndex index.php
 Options -MultiViews -Indexes
 RewriteEngine On
 
+RewriteRule ^private(?:/|$) - [F,L]
+
 RewriteRule ^bootstrap-racket$ rkt.php [L,QSA]
 RewriteRule ^bootstrap-racket-part$ rkt.php [L,QSA]
 RewriteRule ^racket-pkg-index$ rktpkgs.php [L,QSA]
diff --git a/config.php b/config.php
index 94f1eb4..8daf20a 100644
--- a/config.php
+++ b/config.php
@@ -5,13 +5,13 @@
  * Admin application configuration.
  */
 
-require_once __DIR__ . '/auth.php';
-require_once __DIR__ . '/header.php';
-require_once __DIR__ . '/languagestore.php';
-require_once __DIR__ . '/nexttoken.php';
-require_once __DIR__ . '/usersettings.php';
-require_once __DIR__ . '/base64config.php';
-require_once __DIR__ . '/racketzip.php';
+require_once __DIR__ . '/private/auth.php';
+require_once __DIR__ . '/private/header.php';
+require_once __DIR__ . '/private/languagestore.php';
+require_once __DIR__ . '/private/nexttoken.php';
+require_once __DIR__ . '/private/usersettings.php';
+require_once __DIR__ . '/private/base64config.php';
+require_once __DIR__ . '/private/racketzip.php';
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');
diff --git a/config/apikey.cfg b/config/apikey.cfg
deleted file mode 100644
index c2c46ac..0000000
--- a/config/apikey.cfg
+++ /dev/null
@@ -1 +0,0 @@
-flfadrdeyc.yvtpmoyjm.gthfkqbrf.kyhhvikcv
diff --git a/index.php b/index.php
index fa04ecf..4704097 100644
--- a/index.php
+++ b/index.php
@@ -18,12 +18,12 @@
  *   - gebruiker verwijderen
  */
 
-require_once __DIR__ . '/auth.php';
-require_once __DIR__ . '/header.php';
-require_once __DIR__ . '/languagestore.php';
-require_once __DIR__ . '/nexttoken.php';
-require_once __DIR__ . '/promptstore.php';
-require_once __DIR__ . '/usersettings.php';
+require_once __DIR__ . '/private/auth.php';
+require_once __DIR__ . '/private/header.php';
+require_once __DIR__ . '/private/languagestore.php';
+require_once __DIR__ . '/private/nexttoken.php';
+require_once __DIR__ . '/private/promptstore.php';
+require_once __DIR__ . '/private/usersettings.php';
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');
@@ -464,7 +464,7 @@ render_app_header(array(
 
 </div>
 
-<script src="/clipboard.js" defer></script>
-<script src="/bootstrap-prompt.js" defer></script>
+<script src="/js/clipboard.js" defer></script>
+<script src="/js/bootstrap-prompt.js" defer></script>
 </body>
 </html>
diff --git a/bootstrap-prompt.js b/js/bootstrap-prompt.js
similarity index 100%
rename from bootstrap-prompt.js
rename to js/bootstrap-prompt.js
diff --git a/clipboard.js b/js/clipboard.js
similarity index 100%
rename from clipboard.js
rename to js/clipboard.js
diff --git a/prompt-editor.js b/js/prompt-editor.js
similarity index 100%
rename from prompt-editor.js
rename to js/prompt-editor.js
diff --git a/login.php b/login.php
index 9ae3950..9c99369 100644
--- a/login.php
+++ b/login.php
@@ -3,7 +3,7 @@
  * login.php
  */
 
-require_once __DIR__ . '/auth.php';
+require_once __DIR__ . '/private/auth.php';
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');
diff --git a/package.php b/package.php
index febc320..9fcd98f 100644
--- a/package.php
+++ b/package.php
@@ -28,18 +28,18 @@ ini_set('display_startup_errors', '1');
 ini_set('log_errors', '1');
 error_reporting(E_ALL);
 
-require_once __DIR__ . '/nexttoken.php';
+require_once __DIR__ . '/private/nexttoken.php';
 
 $TOKENS = new NextTokenStore(__DIR__ . '/data/racket-sandbox.sqlite');
 
 @set_time_limit(300);
 ignore_user_abort(false);
 
-require_once __DIR__ . '/gitfetcher.php';
-require_once __DIR__ . '/b64parts.php';
-require_once __DIR__ . '/base64config.php';
-require_once __DIR__ . '/lib/catalog-http.php';
-require_once __DIR__ . '/lib/racket-data.php';
+require_once __DIR__ . '/private/gitfetcher.php';
+require_once __DIR__ . '/private/b64parts.php';
+require_once __DIR__ . '/private/base64config.php';
+require_once __DIR__ . '/private/lib/catalog-http.php';
+require_once __DIR__ . '/private/lib/racket-data.php';
 
 define('DATA_DIR', __DIR__ . '/data');
 define('CATALOG_PACKAGE_BASE', 'https://pkgs.racket-lang.org/pkg/');
diff --git a/private/.htaccess b/private/.htaccess
new file mode 100644
index 0000000..b66e808
--- /dev/null
+++ b/private/.htaccess
@@ -0,0 +1 @@
+Require all denied
diff --git a/auth.php b/private/auth.php
similarity index 100%
rename from auth.php
rename to private/auth.php
diff --git a/b64parts.php b/private/b64parts.php
similarity index 100%
rename from b64parts.php
rename to private/b64parts.php
diff --git a/base64config.php b/private/base64config.php
similarity index 100%
rename from base64config.php
rename to private/base64config.php
diff --git a/config/base64-chunks.php b/private/config/base64-chunks.php
similarity index 100%
rename from config/base64-chunks.php
rename to private/config/base64-chunks.php
diff --git a/config/next-token-words.php b/private/config/next-token-words.php
similarity index 100%
rename from config/next-token-words.php
rename to private/config/next-token-words.php
diff --git a/gitfetcher.php b/private/gitfetcher.php
similarity index 99%
rename from gitfetcher.php
rename to private/gitfetcher.php
index f94fde8..e0979f1 100644
--- a/gitfetcher.php
+++ b/private/gitfetcher.php
@@ -42,7 +42,7 @@ class GitFetcher
     {
         $this->dataDir = isset($options['data_dir'])
             ? rtrim((string)$options['data_dir'], '/')
-            : __DIR__ . '/data';
+            : dirname(__DIR__) . '/data';
 
         $this->timeout = isset($options['timeout']) ? (int)$options['timeout'] : 180;
         $this->connectTimeout = isset($options['connect_timeout']) ? (int)$options['connect_timeout'] : 20;
@@ -575,4 +575,4 @@ class GitFetcher
 
         return $body;
     }
-}
\ No newline at end of file
+}
diff --git a/header.php b/private/header.php
similarity index 100%
rename from header.php
rename to private/header.php
diff --git a/languagestore.php b/private/languagestore.php
similarity index 100%
rename from languagestore.php
rename to private/languagestore.php
diff --git a/lib/catalog-http.php b/private/lib/catalog-http.php
similarity index 100%
rename from lib/catalog-http.php
rename to private/lib/catalog-http.php
diff --git a/lib/racket-data.php b/private/lib/racket-data.php
similarity index 100%
rename from lib/racket-data.php
rename to private/lib/racket-data.php
diff --git a/make-user.php b/private/make-user.php
similarity index 93%
rename from make-user.php
rename to private/make-user.php
index b7a718b..48bf9d3 100644
--- a/make-user.php
+++ b/private/make-user.php
@@ -34,7 +34,7 @@ $password = $argv[3];
 $isAdmin = $argv[4] === '1';
 
 try {
-    $auth = new RacketSandboxAuth(__DIR__ . '/data/racket-sandbox.sqlite');
+    $auth = new RacketSandboxAuth(dirname(__DIR__) . '/data/racket-sandbox.sqlite');
 
     $user = $auth->createUser($email, $fullName, $password, $isAdmin, true);
 
@@ -49,4 +49,4 @@ try {
 } catch (Throwable $e) {
     echo "Error: " . $e->getMessage() . "\n";
     exit(1);
-}
\ No newline at end of file
+}
diff --git a/nexttoken.php b/private/nexttoken.php
similarity index 100%
rename from nexttoken.php
rename to private/nexttoken.php
diff --git a/promptstore.php b/private/promptstore.php
similarity index 100%
rename from promptstore.php
rename to private/promptstore.php
diff --git a/racketzip.php b/private/racketzip.php
similarity index 97%
rename from racketzip.php
rename to private/racketzip.php
index 20890c8..6558aba 100644
--- a/racketzip.php
+++ b/private/racketzip.php
@@ -3,8 +3,8 @@
  * Shared handling for the Racket installation zip and its binary parts.
  */
 
-define('RACKET_ZIP_FILE', __DIR__ . '/config/racket.zip');
-define('RACKET_ZIP_DATA_DIR', __DIR__ . '/data');
+define('RACKET_ZIP_FILE', dirname(__DIR__) . '/config/racket.zip');
+define('RACKET_ZIP_DATA_DIR', dirname(__DIR__) . '/data');
 define('RACKET_ZIP_PART_PREFIX', 'racket-part-');
 define('RACKET_ZIP_MANIFEST_FILE', RACKET_ZIP_DATA_DIR . '/racket-parts.json');
 
diff --git a/usersettings.php b/private/usersettings.php
similarity index 100%
rename from usersettings.php
rename to private/usersettings.php
diff --git a/prompts.php b/prompts.php
index 2603b35..ea665f2 100644
--- a/prompts.php
+++ b/prompts.php
@@ -13,11 +13,11 @@
  *   - manage global default prompts
  */
 
-require_once __DIR__ . '/auth.php';
-require_once __DIR__ . '/header.php';
-require_once __DIR__ . '/languagestore.php';
-require_once __DIR__ . '/promptstore.php';
-require_once __DIR__ . '/usersettings.php';
+require_once __DIR__ . '/private/auth.php';
+require_once __DIR__ . '/private/header.php';
+require_once __DIR__ . '/private/languagestore.php';
+require_once __DIR__ . '/private/promptstore.php';
+require_once __DIR__ . '/private/usersettings.php';
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');
@@ -395,7 +395,7 @@ if ($user->isAdmin()) {
 }
 
 $styleVersion = @filemtime(__DIR__ . '/styles.css') ?: time();
-$promptEditorVersion = @filemtime(__DIR__ . '/prompt-editor.js') ?: time();
+$promptEditorVersion = @filemtime(__DIR__ . '/js/prompt-editor.js') ?: time();
 
 header('Content-Type: text/html; charset=utf-8');
 ?>
@@ -714,7 +714,7 @@ render_app_header(array(
     'new' => t('prompts.new', 'new'),
 ), JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) ?>
 </script>
-<script src="/prompt-editor.js?v=<?= h($promptEditorVersion) ?>" defer></script>
+<script src="/js/prompt-editor.js?v=<?= h($promptEditorVersion) ?>" defer></script>
 
 </body>
 </html>
diff --git a/rkt.php b/rkt.php
index a7c72c6..a48ea73 100644
--- a/rkt.php
+++ b/rkt.php
@@ -36,9 +36,9 @@ ini_set('display_startup_errors', '1');
 ini_set('log_errors', '1');
 error_reporting(E_ALL);
 
-require_once __DIR__ . '/nexttoken.php';
-require_once __DIR__ . '/base64config.php';
-require_once __DIR__ . '/racketzip.php';
+require_once __DIR__ . '/private/nexttoken.php';
+require_once __DIR__ . '/private/base64config.php';
+require_once __DIR__ . '/private/racketzip.php';
 
 $TOKENS = new NextTokenStore(__DIR__ . '/data/racket-sandbox.sqlite');
 
diff --git a/rktpkgs.php b/rktpkgs.php
index bb2ebb3..6b095ad 100644
--- a/rktpkgs.php
+++ b/rktpkgs.php
@@ -33,9 +33,9 @@ ini_set('display_startup_errors', '1');
 ini_set('log_errors', '1');
 error_reporting(E_ALL);
 
-require_once __DIR__ . '/nexttoken.php';
-require_once __DIR__ . '/lib/catalog-http.php';
-require_once __DIR__ . '/lib/racket-data.php';
+require_once __DIR__ . '/private/nexttoken.php';
+require_once __DIR__ . '/private/lib/catalog-http.php';
+require_once __DIR__ . '/private/lib/racket-data.php';
 
 $TOKENS = new NextTokenStore(__DIR__ . '/data/racket-sandbox.sqlite');
 
diff --git a/users.php b/users.php
index 99b93ea..7cea83c 100644
--- a/users.php
+++ b/users.php
@@ -5,10 +5,10 @@
  * Admin user management.
  */
 
-require_once __DIR__ . '/auth.php';
-require_once __DIR__ . '/header.php';
-require_once __DIR__ . '/languagestore.php';
-require_once __DIR__ . '/usersettings.php';
+require_once __DIR__ . '/private/auth.php';
+require_once __DIR__ . '/private/header.php';
+require_once __DIR__ . '/private/languagestore.php';
+require_once __DIR__ . '/private/usersettings.php';
 
 ini_set('display_errors', '1');
 ini_set('display_startup_errors', '1');