Thanks lithos
Now I'm success for hiding the files if it requested by direct typing on browser address while my flash application still can load properly on my homepage. But I'm doing little different from the link you pointed to me. The most important thing I figure out is that every direct typing request to any resource in webserver
is has no referal, so we can use it. In my case, my flash application need to load the xml/js/and others to work properly. Actually, when my flash app request the files, the apache can served it because it has referal which is my homepage as the referal. So my flash app still works. This is the simplest rules:
RewriteCond %{HTTP_REFERER} ^$ -> is request has no referal?
RewriteRule .*\.(jpe?g|xml|js|txt)$ - [L,R=404] -> if Yes, then respond it by redirect to 404
But then I found if people use Request/Response HTTP analytic tools, the files can easily to be preview at last. I used "Chrome's development tool -> Network tab" and it brings me every files that my flash app need to load