This is a minor issue but imho this is not very beautiful:
.inc files should not be shown in browser as raw see http://<ip>/auth.inc.
I know anybody can browse to these files only if authenticated and
showing them is not a security issue, but there is also no need to show
include files as raw.
So what about renaming them to .inc.php or let httpd parse .inc as .php
or deny access to .inc?