We needed to protect our production site from prying eyes for a while with a basic authentication. Using apache basic auth settings seemed not enough. Or actually was too much. We wanted the theme to blend in. So these files were not supposed to get protected. Only our Drupal pages should.
The solution came from http://php.net/manual/en/features.http-auth.php. Adding the following to sites/default/settings.php makes the customer happy and drush too.