The default PHP example is insecure on Windows.
It needs to be ~* instead of ~. Otherwise, someone can request .PHP instead of .php and
read the text of the PHP file. You may want to point this out somewhere in the docs, or just
make the default matching ~* in the default, example configuration.
This is probably not an issue for people who think about it, but I suspect many people will just
use the defaults.
-James