Docs: Added hide for *.php files to file_server directives.

[gnat]

Thought I'd make a quick documentation PR as this has always spooked me with FrankenPHP. Prevents accidental exposure of raw .php files when using file_server. It'd be a security nightmare if we had an issue with unwanted PHP code downloads, particularly with projects that mix assets with code.

Protects us against scenarios where a .php ends up at file_server, ex: Caddyfile misconfiguration (could be as lame as a syntax issue or commenting out php or php_server) or FrankenPHP issue/crash.

[AlliBalliBaba]

I'm not sure it makes sense to add hide *.php to this specific configuration. It might make people think they need to add it everywhere, even though in this case it's (as you mentioned) redundant.

Maybe it would make more sense to add a separate section with a specific scenario in which this would be necessary for security?

[gnat]

If there's any issue at the php or php_server directives, it'll fall through and your code is going to be publicly served by file_server. FrankenPHP is lovely but we've had crash fixes already.

Agreed I don't like extra lines either, but if there's any regression/crash in FrankenPHP or someone messes up a Caddyfile edit, you get a very scary failure scenario.