It is important to note that apache WILL server hidden content (hidden files defined by '.' eg .hidden).
The httpd.conf or apache2.conf file comes with an entry preventing .htaccess and .htpasswd files being served:
# The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files>
<LocationMatch ^(.*/)\..*> Order Allow,Deny Deny from All Satisfy All </LocationMatch>