IMPORTANT

It is important to note that apache WILL server hidden content (hidden files defined by '.' eg .hidden).
The httpd.conf or apache2.conf file comes with an entry preventing .htaccess and .htpasswd files being served:

# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Will will need to add an entry preventing other/all hidden files being served. Add the following content directly under the above content in the httpd.conf (apache2.conf file)

<LocationMatch ^(.*/)\..*>
  Order Allow,Deny
  Deny from All
  Satisfy All
</LocationMatch>