diff --git a/dev/install/install.php5 b/dev/install/install.php5
index ae333d319..cc19ba4dc 100644
--- a/dev/install/install.php5
+++ b/dev/install/install.php5
@@ -1280,6 +1280,8 @@ ErrorDocument 500 /assets/error-500.html
RedirectMatch 403 /silverstripe-cache(/|$)
+ RedirectMatch 403 /vendor(/|$)
+ RedirectMatch 403 /composer\.(json|lock)
diff --git a/docs/en/changelogs/3.0.4.md b/docs/en/changelogs/3.0.4.md
index a9e5e4466..7021f5a6b 100644
--- a/docs/en/changelogs/3.0.4.md
+++ b/docs/en/changelogs/3.0.4.md
@@ -2,14 +2,52 @@
## Overview
+ * Security: Information leakage through web access on YAML configuration files
+ * Security: Information leakage through web access on composer files
+ * Security: Require ADMIN permissions for `?showtemplate=1`
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
- * Require ADMIN permissions for `?showtemplate=1`
## Details
-### Require ADMIN permissions for `?showtemplate=1`
+### Security: Prevent web access to YAML and composer files
-Avoids information leakage of compiled template data,
+Severity: Moderate
+
+Description: YAML files are used to configure the SilverStripe application
+since its 3.0 release. These files can contain sensitive values such as database
+and API credentials. By default, the installer still stores database credentials
+in `_config.php` files which are safe from web access. So this only concerns
+configuration values added in your own project, or a third party module.
+
+Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
+with the new files from the project root, and reapply any customizations you've made.
+Follow the [general upgrade instructions](/installation/upgrading).
+The [nginx installation instructions](/installation/nginx)
+have also been updated to reflect those changes.
+
+### Security: Information exposure through web access on composer files
+
+Severity: Low
+
+Description: [Composer](http://getcomposer.org) is a dependency management
+tool which can optionally be used to install SilverStripe. The `composer.json`
+and `composer.lock` files are required for its operation, so they are included
+in the standard release since 3.0.2. These files contain information on the installed
+versions of core and thirdparty modules, which could be used to target specific
+versions of SilverStripe.
+
+Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
+with the new files from the project root, and reapply any customizations you've made.
+Follow the [general upgrade instructions](/installation/upgrading).
+The [nginx installation instructions](/installation/nginx)
+have also been updated to reflect those changes.
+
+
+### Security: Require ADMIN permissions for `?showtemplate=1`
+
+Severity: Low
+
+Description: Avoids information leakage of compiled template data,
which might expose some of the internal template logic.
## Upgrading