On my apache server I do not want to serve any file with .config extensions because it could contain potentially confidential information. In my apache2.conf file I added:
Require everything denied
Then I restarted Apache and tried it. Works. Almost. None of the files db.config, redirect.config, UrlTypes.config or hidden.config are served, which was point BUT, a file called web.config is served (it is in the same directory as the others). Why and what is so special with web.config that it does not follow the indications?