diff --git a/CHANGELOG.md b/CHANGELOG.md
index fb33a13633..2f7a39786a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+## UNRELEASED
+### Summary
+
+TODO
+
+###
+
+#### Security
+
+* apache::mod::php now uses FilesMatch to configure the php handler. This is following the recommended upstream configuration guidelines (http://php.net/manual/en/install.unix.apache2.php#example-20) and distribution's default config (e.g.: http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/vivid/php5/vivid/view/head:/debian/php5.conf). It avoids inadvertently exposing the PHP handler to executing uploads with names like 'file.php.jpg', but might impact setups with unusual requirements.
+
 ## 2015-11-17 - Supported Release 1.7.0
 ### Summary
 This release includes many new features and bugfixes. There are test, documentation and misc improvements.
diff --git a/spec/classes/mod/php_spec.rb b/spec/classes/mod/php_spec.rb
index 246b3bbd49..6814b8a8f1 100644
--- a/spec/classes/mod/php_spec.rb
+++ b/spec/classes/mod/php_spec.rb
@@ -88,7 +88,7 @@
       let :params do
         { :extensions => ['.php','.php5']}
       end
-      it { is_expected.to contain_file("php5.conf").with_content(/AddHandler php5-script .php .php5\n/) }
+      it { is_expected.to contain_file("php5.conf").with_content(Regexp.new(Regexp.escape('<FilesMatch ".+(\.php|\.php5)$">'))) }
     end
     context "with specific version" do
       let :pre_condition do
diff --git a/templates/mod/php5.conf.erb b/templates/mod/php5.conf.erb
index 44df2ae066..3fd1000390 100644
--- a/templates/mod/php5.conf.erb
+++ b/templates/mod/php5.conf.erb
@@ -14,8 +14,9 @@
 #
 # Cause the PHP interpreter to handle files with a .php extension.
 #
-AddHandler php5-script <%= @extensions.flatten.compact.join(' ') %>
-AddType text/html .php
+<FilesMatch ".+(<%= @extensions.flatten.compact.collect { |s| Regexp.escape(s) }.join('|') %>)$">
+    SetHandler php5-script
+</FilesMatch>
 
 #
 # Add index.php to the list of files that will be served as directory