diff --git a/docs/en/changelogs/3.0.9.md b/docs/en/changelogs/3.0.9.md
index 089cde8f8..d734f9f61 100644
--- a/docs/en/changelogs/3.0.9.md
+++ b/docs/en/changelogs/3.0.9.md
@@ -2,34 +2,11 @@
 
 ## Overview
 
-### Default current Versioned "stage" to "Live" rather than "Stage"
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
 
-Previously only the controllers responsible for page and CMS display 
-(`LeftAndMain` and `ContentController`) explicitly set a stage through
-`Versioned::choose_site_stage()`. Unless this method is called,
-the default stage will be "Stage", showing draft content.
-Any direct subclasses of `Controller` interacting with "versioned" objects
-are vulnerable to exposing unpublished content, unless `choose_site_stage()`
-is called explicitly in their own logic.
+## Changelog
 
-In order to provide more secure default behaviour, we have changed
-`choose_site_stage()` to be called on all requests, defaulting to the "Live" stage.
-If your logic relies on querying draft content, use `Versioned::reading_stage('Stage')`.
-
-Important: The `choose_site_stage()` call only deals with setting the default stage,
-and doesn't check if the user is authenticated to view it. As with any other controller logic,
-please use `DataObject->canView()` to determine permissions.
-
-	:::php
-	class MyController extends Controller {
-		private static $allowed_actions = array('showpage');
-		public function showpage($request) {
-			$page = Page::get()->byID($request->param('ID'));
-			if(!$page->canView()) return $this->httpError(401);
-			// continue with authenticated logic...
-		}
-	}
-
-### API Changes
-
- * 2013-08-03 [0e7231f](https://github.com/silverstripe/sapphire/commit/0e7231f) Disable discontinued Google Spellcheck in TinyMCE (Ingo Schommer)
\ No newline at end of file
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
+ * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
+ * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9)
\ No newline at end of file
diff --git a/docs/en/changelogs/rc/3.0.9-rc1.md b/docs/en/changelogs/rc/3.0.9-rc1.md
new file mode 100644
index 000000000..6babc2b0d
--- /dev/null
+++ b/docs/en/changelogs/rc/3.0.9-rc1.md
@@ -0,0 +1,12 @@
+# 3.0.9-rc1 (2014-02-19)
+
+## Overview
+
+ * Security: Require ADMIN for ?flush=1&isDev=1 ([SS-2014-001](http://www.silverstripe.org/ss-2014-001-require-admin-for-flush1-and-isdev1))
+ * Security: XSS in third party library (SWFUpload) ([SS-2014-002](http://www.silverstripe.org/ss-2014-002-xss-in-third-party-library-swfupload/))
+
+ ## Changelog
+
+ * [framework](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
+ * [cms](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
+ * [installer](https://github.com/silverstripe/silverstripe-framework/releases/tag/3.0.9-rc1)
\ No newline at end of file
diff --git a/docs/en/installation/composer.md b/docs/en/installation/composer.md
index edfb69996..4b1bf998f 100644
--- a/docs/en/installation/composer.md
+++ b/docs/en/installation/composer.md
@@ -115,7 +115,7 @@ So you want to contribute to SilverStripe? Fantastic! You can do this with compo
 You have to tell composer three things in order to be able to do this:
 
   - Keep the full git repository information
-  - Include dependancies marked as "developer" requirements
+  - Include dependencies marked as "developer" requirements
   - Use the development version, not the latest stable version
 
 The first two steps are done as part of the initial create project using additional arguments.
@@ -232,7 +232,7 @@ For more information, read the ["Repositories" chapter of the Composer documenta
 
 ### Forks and branch names
 
-Generally, you should keep using the same pattern of branch names as the main repositories does. If your version is a fork of 3.0, then call the branch `3.0`, not `3.0-myproj` or `myproj`. Otherwise, the depenency resolution gets confused.
+Generally, you should keep using the same pattern of branch names as the main repositories does. If your version is a fork of 3.0, then call the branch `3.0`, not `3.0-myproj` or `myproj`. Otherwise, the dependency resolution gets confused.
 
 Sometimes, however, this isn't feasible.  For example, you might have a number of project forks stored in a single repository, such as your personal github fork of a project.  Or you might be testing/developing a feature branch.  Or it might just be confusing to other team members to call the branch of your modified version `3.0`.
 
diff --git a/docs/en/installation/nginx.md b/docs/en/installation/nginx.md
index 844a6d296..4164f720d 100644
--- a/docs/en/installation/nginx.md
+++ b/docs/en/installation/nginx.md
@@ -1,6 +1,6 @@
 # Nginx
 
-These instructions are also covered in less detail on the
+These instructions are also covered on the
 [Nginx Wiki](http://wiki.nginx.org/SilverStripe).
 
 The prerequisite is that you have already installed Nginx and you are
@@ -18,150 +18,79 @@ But enough of the disclaimer, on to the actual configuration — typically in `n
 
 	server {
 		listen 80;
-		server_name example.com;
-		
-		root /var/www/example.com;
-		
-		# SSL configuration (optional, but recommended for security)
-		# (remember to actually force logins to use ssl)
-		include ssl
-		
-		include silverstripe3.conf;
-		include htaccess.conf;
-		
-		# rest of the server section is optional, but helpful
-		# maintenance page if it exists
-		error_page 503 @maintenance;
-		if (-f $document_root/maintenance.html ) {
-			return 503;
+		root /path/to/ss/folder;
+	
+		server_name site.com www.site.com;
+	
+		location / {
+			try_files $uri /framework/main.php?url=$uri&$query_string;
 		}
-		location @maintenance {
-			try_files /maintenance.html =503;
-		}
-		
-		# always show SilverStripe's version of 500 error page
+	
+		error_page 404 /assets/error-404.html;
 		error_page 500 /assets/error-500.html;
-		
-		# let the user's browser cache static files (e.g. 2 weeks)
-		expires 2w;
-		
-		# in case your machine is slow, increase the timeout
-		# (also remembers php's own timeout settings)
-		#fastcgi_read_timeout 300s;
-	}
-
-Here is the include file `silverstripe3.conf`:
-
-	location / {
-		try_files $uri @silverstripe;
-	}
 	
-	# only needed for installation - disable this location (and remove the
-	# index.php and install.php files) after you installed SilverStripe
-	# (you did read the blogentry linked above, didn't you)
-	location ~ ^/(index|install).php {
-		fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
-		include fastcgi.conf;
-		fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
-	}
+		location ^~ /assets/ {
+			sendfile on;
+			try_files $uri =404;
+		}
 	
-	# whitelist php files that are called directly and need to be interpreted
-	location = /framework/thirdparty/tinymce/tiny_mce_gzip.php {
-		include fastcgi.conf;
-		fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
-	}
-	location = /framework/thirdparty/tinymce-spellchecker/rpc.php {
-		include fastcgi.conf;
-		fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
-	}
+		location ~ /framework/.*(main|rpc|tiny_mce_gzip)\.php$ {
+			fastcgi_keep_conn on;
+			fastcgi_pass   127.0.0.1:9000;
+			fastcgi_index  index.php;
+			fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+			include        fastcgi_params;
+		}
 	
-	location @silverstripe {
-		expires off;
-		include fastcgi.conf;
-		fastcgi_pass unix:/run/php-fpm/php-fpm-silverstripe.sock;
-		# note that specifying a fixed script already protects against execution
-		# of arbitrary files, but remember the advice above for any other rules
-		# you add yourself (monitoring, etc,....)
-		fastcgi_param SCRIPT_FILENAME $document_root/framework/main.php;
-		fastcgi_param SCRIPT_NAME /framework/main.php;
-		fastcgi_param QUERY_STRING url=$uri&$args;
-		
-		# tuning is up to your expertise, but buffer_size needs to be >= 8k,
-		# otherwise you'll get  "upstream sent too big header while reading
-		# response header from upstream" errors.
-		fastcgi_buffer_size 8k;
-		#fastcgi_buffers 4 32k;
-		#fastcgi_busy_buffers_size 64k;
+		location ~ /(mysite|framework|cms)/.*\.(php|php3|php4|php5|phtml|inc)$ {
+			deny all;
+		}
+	
+		location ~ /\.. {
+			deny all;
+		}
+	
+		location ~ \.ss$ {
+			satisfy any;
+			allow 127.0.0.1;
+			deny all;
+		}
+	
+		location ~ web\.config$ {
+			deny all;
+		}
+	
+		location ~ \.ya?ml$ {
+			deny all;
+		}
+	
+		location ^~ /vendor/ {
+			deny all;
+		}
+	
+		location ~* /silverstripe-cache/ {
+			deny all;
+		}
+	
+		location ~* composer\.(json|lock)$ {
+			deny all;
+		}
+	
+		location ~* /(cms|framework)/silverstripe_version$ {
+			deny all;
+		}
+	
+		location ~ \.php$ {
+	                fastcgi_keep_conn on;
+	                fastcgi_pass   127.0.0.1:9000;
+	                fastcgi_index  index.php;
+	                fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	                include        fastcgi_params;
+		}
 	}
 
-<div class="warning" markdown='1'>
-With only the above configuration, nginx would hand out any existing file
-uninterpreted, so it would happily serve your precious configuration files,
-including all your private api-keys and whatnot to any random visitor. So you
-**must** restrict access further.
-</div>
-You don't need to use separate files, but it is easier to have the permissive
-rules distinct from the restricting ones.
-
-Here is the include file `htaccess.conf`:
-
-	# Don't try to find nonexisting stuff in assets (esp. don't pass through php)
-	location ^~ /assets/ {
-		try_files $uri =404;
-	}
-	
-	# Deny access to silverstripe-cache, vendor or composer.json/.lock
-	location ^~ /silverstripe-cache/ {
-		deny all;
-	}
-	location ^~ /vendor/ {
-		deny all;
-	}
-	location ~ /composer\.(json|lock) {
-		deny all;
-	}
-	
-	# Don't serve up any "hidden" files or directories
-	# (starting with dot, like .htaccess or .git)
-	# also don't serve web.config files
-	location ~ /(\.|web\.config) {
-		deny all;
-	}
-	
-	# Block access to yaml files (and don't forget about backup
-	# files that editors tend to leave behind)
-	location ~ \.(yml|bak|swp)$ {
-		deny all;
-	}
-	location ~ ~$ {
-		deny all;
-	}
-	
-	# generally don't serve any php-like files
-	# (as they exist, they would be served as regular files, and not interpreted.
-	# But as those can contain configuration data, this is bad nevertheless)
-	# If needed, you can always whitelist entries.
-	location ~ \.(php|php[345]|phtml|inc)$ {
-		deny all;
-	}
-	location ~ ^/(cms|framework)/silverstripe_version$ {
-		deny all;
-	}
-
-Here is the optional include file `ssl`:
-
-	listen 443 ssl;
-	ssl_certificate server.crt;
-	ssl_certificate_key server.key;
-	ssl_session_timeout 5m;
-	ssl_protocols SSLv3 TLSv1;
-	ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
-
-The above configuration sets up a virtual host `example.com` with
-rewrite rules suited for SilverStripe. The location block named
-`@silverstripe` passes all requests that aren't matched by one of the other
-location rules (and cannot be satisfied by serving an existing file) to
-SilverStripe framework's main.php script, that is run by the FastCGI-wrapper,
-that in turn is accessed via a Unix socket.
+The above configuration sets up a virtual host `site.com` with
+rewrite rules suited for SilverStripe. The location block for php files
+passes all php scripts to the FastCGI-wrapper via a TCP socket.
 
 Now you can proceed with the SilverStripe installation normally.
diff --git a/docs/en/reference/shortcodes.md b/docs/en/reference/shortcodes.md
index a6c6885ac..9a8cf6e98 100644
--- a/docs/en/reference/shortcodes.md
+++ b/docs/en/reference/shortcodes.md
@@ -100,6 +100,7 @@ CMS users still need to remember the specific syntax, but these shortcodes can f
 for more advanced editing interfaces (with visual placeholders). See the built-in `embed` shortcode as an example
 for coupling shortcodes with a form to create and edit placeholders.
 
+
 ## Built-in Shortcodes
 
 SilverStripe comes with several shortcode parsers already.
diff --git a/tests/model/SQLQueryTest.php b/tests/model/SQLQueryTest.php
index 2c7d9eeed..e5f5470c3 100755
--- a/tests/model/SQLQueryTest.php
+++ b/tests/model/SQLQueryTest.php
@@ -342,7 +342,6 @@ class SQLQueryTest extends SapphireTest {
 		);
 	}
 	
-
 	public function testSetWhereAny() {
 		$query = new SQLQuery();
 		$query->setFrom('MyTable');
@@ -352,7 +351,6 @@ class SQLQueryTest extends SapphireTest {
 	}
 	
 	public function testSelectFirst() {
-		
 		// Test first from sequence
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');
@@ -398,7 +396,6 @@ class SQLQueryTest extends SapphireTest {
 	}
 	
 	public function testSelectLast() {
-		
 		// Test last in sequence
 		$query = new SQLQuery();
 		$query->setFrom('"SQLQueryTest_DO"');