From becc5baa344e4307027c1a01ec96f3c2d574b9ab Mon Sep 17 00:00:00 2001
From: Hamish Friedlander <hamish@silverstripe.com>
Date: Thu, 13 Dec 2012 09:02:56 +1300
Subject: [PATCH] API Block all yaml files by default, to reduce the change of
 information leakage

---
 .htaccess | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.htaccess b/.htaccess
index 71c5a9f..132464b 100644
--- a/.htaccess
+++ b/.htaccess
@@ -10,6 +10,13 @@
 	Deny from all
 </Files>
 
+# This denies access to all yml files, since developers might include sensitive
+# information in them. See the docs for work-arounds to serve some yaml files
+<Files *.yml>
+	Order allow,deny
+	Deny from all
+</Files>
+
 ErrorDocument 404 /assets/error-404.html
 ErrorDocument 500 /assets/error-500.html