diff --git a/.htaccess b/.htaccess
index c32b182..d9f0989 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info\.yml|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
diff --git a/core/modules/system/src/Tests/System/HtaccessTest.php b/core/modules/system/src/Tests/System/HtaccessTest.php
new file mode 100644
index 0000000..028956f
--- /dev/null
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -0,0 +1,53 @@
+<?php
+
+/**
+ * @file
+ * Contains Drupal\system\Tests\System\HtaccessTest
+ */
+
+namespace Drupal\system\Tests\System;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests access restrictions provided by the default .htaccess file.
+ *
+ * @group system
+ */
+class HtaccessTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = ['file'];
+
+  /**
+   * Tests accessing YAML file extensions.
+   */
+  public function testYamlFileAccess() {
+    // Try accessing the core services YAML file.
+    $this->drupalGet('core/core.services.yml');
+    $this->assertResponse(403);
+    // Try accessing a core module YAML file.
+    $this->drupalGet('core/modules/system/system.services.yml');
+    $this->assertResponse(403);
+
+    $file_params = array(
+      'filename' => 'test.yml',
+      'uri' => 'public://test.yml',
+      'filemime' => 'text/yaml',
+      'status' => FILE_STATUS_PERMANENT,
+    );
+    // Create a new file entity.
+    $file = entity_create('file', $file_params);
+    file_put_contents($file->getFileUri(), 'test: value');
+    $file->save();
+
+    // Access the file saved in the public files directory.
+    $this->drupalGet($file->url());
+    $this->assertResponse(200);
+  }
+
+}
diff --git a/web.config b/web.config
index b71c37c..b072d9b 100644
--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|info\.yml|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>