Problem/Motivation
Currently, Apache, IIS, and any other web server, will deliver YAML (.yml) files, assuming they have not been denied at the global level.
In Drupal 8, YAML can contain sensitive information that may allow intruders to gain insight into a system, or outright information that may be private. This is particularly of issue since default values for variables are set in YAML now.
In Drupal 7 and earlier, this information was typically in the .info, .module, or .inc files, which were protected by the primary .htaccess from the site.
Proposed resolution
The default .htaccess and web.config files should have rules in them to deny access to YAML, by default, that are residing in the normal locations.
The files directory (or directories) should not be subject to these restrictions.
Remaining tasks
None?
User interface changes
None.
API changes
None.
Original report by @alexpott
We should be preventing apache from serving YAML files as it'll be possible to get all sorts of information from them. The config directories are protected by their own .htaccess files but I don't think we should be exposing default module configuration eg. core/modules/system/config/system.site.yml or service config eg. core/lib/Drupal/Core/CoreBundle.yml (see #1939660: Use YAML as the primary means for service registration) either.
I'm not 100% certain this is the right approach - creating this issue to track the discussion.