Quick post today: If you're wondering how Sitecore secures the client and other sensitive directories when deploying to Azure Web Apps, it's quite simple. And you can use the same trick to protect other sensitive folders in your instance.
The secret is in the Web.Config's location directives. For example, these rules allow access to the /api directory, and deny it to the /sitecore directory:
<location path="sitecore">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="sitecore/api">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>