Patch .env security hole

[JohnB17]

68 and #67 added a .env but in its current state you can go to https://yoursite.com/.env and it would download the .env to its fullest. This pull request redirects /.env to the error 403 page, but since Nginx doesn't support .htaccess, I added to the readme on instructions for Nginx. I also updated the readme to change the instructions on how to add Spotify id and secret since they still said the PHP files.

[finnie2006]

Thx for making the pr

[busybox11]

Thanks a lot for your PR!