Like cache, files, images\avatars\upload, includes and store, the directory named « config » has a .htaccess file for Apache web server in the aim of denying access.
However, config sample files for other web server (docs/lighttpd.sample.conf and docs/nginx.sample.conf) do not reflect that restriction. Only "config" PHP file is denied, not the directory. Same applies to the web.config for IIS. The config directory restriction should be added for IIS/lighttpd/nginx files.
- - - - - - -
For nginx.sample.conf, the line...
...could be replaced by that one:
The presence of config in the location denies both config directory and config.php for nginx