I follow the convention that XML configuration files for Mach-II, ColdSpring, and Transfer ORM go in the $WEBROOT/$APPROOT/config directory. This directory is web accessible, and unless otherwise protected, would leak information that could be compromising. There are many ways to secure this information, but a quick and dirty way to do it is add a .htaccess file to the source tree:
# /home/www/sites/example.com/app/config/.htaccess Order by allow,deny Deny from all
Of course, this will only work if Apache is configured with the default AccessFileName directive and the config directory is beneath a path with AllowOverride specifying (at least) Limit. For example:
# /etc/httpd/conf.d/example.com.conf <Directory /home/www/sites/example.com> AllowOverride Limit </Directory>
Another method that I use on sites with large sets of URL rewrite rules, is creating a rule to forbid access to matching URLs. For example:
# /etc/httpd/conf.d/example.com.conf RewriteRule ^/app/config/.* / [L,F]
The rewrite has the same effect, but doesn't require the .htaccess file or AllowOverride directive.