If the remote user knows the exact location of the file, he will still be able to access the file from a browser. How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes). So if there are ‘special files’ that you want to not be served in any case to remote users then you will have to deny access to them. But the question is HOW?

Inside my .htaccess file in my webroot folder:

<FilesMatch "\.(js|css)$">
Order deny,allow
Allow from all
</FilesMatch>

But that doesn't seems to work.. :-(
I'm using Apache 2.2

Your code looks pretty different from the code found here. What about trying:

<Files ~ "(.js|.css)">
Order allow,deny
Deny from all
</Files>

Updating the FilesMatch in a apache2.conf will make this a global change without having to individually add it to all sites/virtual directories.

As a side note I suggest adding any files to the exclude list that could possibly hold configuration settings like .xml .ini .conf etc... This does not block the www-data user, it just keeps outside requests for those files from being served and displayed.

(Ubuntu 14.04 Apache2)

ORIGINAL:

    <FilesMatch "^\.ht">
            Require all denied
    </FilesMatch>

NEW:

    <FilesMatch "^\.ht|.js|.css">
            Require all denied
    </FilesMatch>

What you are trying to do will not work.

You need to allow unfettered access to your .css and .js files. If a user's browser can't request the style sheet or the javascript that makes the page tick, then the page won't work for them. (It will load; but it will look horrible because the request for the style sheet got turned down, and anything that relies on JavaScript won't work either.)