Update htaccess

config/default/environments/develop/.htaccess

@@ -22,3 +22,6 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 <IfModule mod_php7.c>
   php_flag engine off
 </IfModule>
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>

config/default/environments/live/.htaccess

@@ -22,3 +22,6 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 <IfModule mod_php7.c>
   php_flag engine off
 </IfModule>
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>

config/default/environments/nirvana/.htaccess

@@ -22,3 +22,6 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 <IfModule mod_php7.c>
   php_flag engine off
 </IfModule>
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>

config/default/environments/snapshot/.htaccess

@@ -22,3 +22,6 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 <IfModule mod_php7.c>
   php_flag engine off
 </IfModule>
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>

config/default/environments/test/.htaccess

@@ -22,3 +22,6 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 <IfModule mod_php7.c>
   php_flag engine off
 </IfModule>
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>

drush/.htaccess

+# Deny all requests from Apache 2.4+.
+<IfModule mod_authz_core.c>
+  Require all denied
+</IfModule>
+
+# Deny all requests from Apache 2.0-2.2.
+<IfModule !mod_authz_core.c>
+  Deny from all
+</IfModule>
+
+# Turn off all options we don't need.
+Options -Indexes -ExecCGI -Includes -MultiViews
+
+# Set the catch-all handler to prevent scripts from being executed.
+SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
+<Files *>
+  # Override the handler again if we're run later in the evaluation list.
+  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
+</Files>
+
+# If we know how to do it safely, disable the PHP engine entirely.
+<IfModule mod_php7.c>
+  php_flag engine off
+</IfModule>
+<IfModule mod_php.c>
+  php_flag engine off
+</IfModule>