Document that yaml files shouldnt be served directly

docs/en/installation/nginx.md

@@ -68,6 +68,11 @@ Here is the include file `htaccess`:
 		try_files $uri $uri/ =404;
 	}
 	
+	# Block access to yaml files
+	location ~ \.yml$ {
+		deny all;
+	}
+	
 	# cms & framework .htaccess rules
 	location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ {
 		deny all;

docs/en/installation/webserver.md

@@ -27,3 +27,17 @@ name' and the default login details. Follow the questions and select the *instal
 ## Issues?
 
 If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section.
+
+## Security notes
+
+### Yaml
+
+For the reasons explained in [security](/topics/security) Yaml files are blocked by default by the .htaccess file
+provided by the SilverStripe installer module.
+
+To allow serving yaml files from a specific directory, add code like this to an .htaccess file in that directory
+
+	<Files *.yml>
+		Order allow,deny
+		Allow from all
+	</Files>

docs/en/topics/security.md

@@ -363,6 +363,16 @@ file in the assets directory.  This requires PHP to be loaded as an Apache modul
 	php_flag engine off
 	Options -ExecCGI -Includes -Indexes 
 
+### Don't allow access to .yml files
+
+Yaml files are often used to store sensitive or semi-sensitive data for use by SilverStripe framework (for instance,
+configuration and test fixtures).
+
+You should therefore block access to all yaml files (extension .yml) by default, and white list only yaml files
+you need to serve directly.
+
+See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details 
+specific to your web server
 
 ##  Related