Protecting Public directory in Drupal 8.8+
1 min readJul 6, 2021
If you are seeing an error message like this;
…on your Drupal site at admin/reports/status page, you probably need to add or update your .htaccess file in your public files directory path.
Typically, it will reside at web/sites/default/files path.
Simply modify or create an .htaccess file with below content.
Make sure you double-check your core version and search your core code to verify if the core uses below code as well.
Although, this is for apache servers, it seems to work on nginx as well, as the error message stopped displaying.
# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files># If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
