diff --git a/.htaccess b/.htaccess
index b0b55d58649910f20c3f597dc317a81a2ed986e0..4031da475cfb1c94f070ff81037f8bdcd1dd4c00 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,9 +1,9 @@
 #
-# Apache/mod_php/Drupal settings:
+# Apache/PHP/Drupal settings:
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|\.user\.ini)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,11 +24,8 @@ AddEncoding gzip svgz
 
 # Most of the following PHP settings cannot be changed at runtime. See
 # sites/default/default.settings.php and
-# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
-# at runtime.
-#
-# PHP only reads settings from this file if it is running as an Apache module.
-# If PHP is running as a CGI script, see .user.ini.
+# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
+# changed at runtime.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>
diff --git a/.user.ini b/.user.ini
deleted file mode 100644
index 95d89560ff106aa4017430b029619157d8800e91..0000000000000000000000000000000000000000
--- a/.user.ini
+++ /dev/null
@@ -1,10 +0,0 @@
-; Most of the following PHP settings cannot be changed at runtime. See
-; sites/default/default.settings.php and
-; Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
-; at runtime.
-;
-; PHP only reads settings from this file if it is running as a CGI script. If
-; PHP is running as an Apache module, see .htaccess.
-
-; Disable PHP assertions.
-assert.active = 0
diff --git a/composer.lock b/composer.lock
index e239adab8e9d1289d90fbf0139186ddd7c001b20..ccd477eac316e3c05b2205c7c0e2ad4be8e57f30 100644
--- a/composer.lock
+++ b/composer.lock
@@ -495,7 +495,7 @@
             "dist": {
                 "type": "path",
                 "url": "core",
-                "reference": "436f1c4b149b110c60db014909edf6ff2e6fc9f9"
+                "reference": "cc2af7de02a19bfde449293a84468f5fb1e33cea"
             },
             "require": {
                 "asm89/stack-cors": "^2.1",
@@ -585,7 +585,6 @@
                         "[web-root]/.eslintrc.json": "assets/scaffold/files/eslintrc.json",
                         "[web-root]/.ht.router.php": "assets/scaffold/files/ht.router.php",
                         "[web-root]/.htaccess": "assets/scaffold/files/htaccess",
-                        "[web-root]/.user.ini": "assets/scaffold/files/user.ini",
                         "[web-root]/example.gitignore": "assets/scaffold/files/example.gitignore",
                         "[web-root]/index.php": "assets/scaffold/files/index.php",
                         "[web-root]/INSTALL.txt": "assets/scaffold/files/drupal.INSTALL.txt",
diff --git a/core/assets/scaffold/files/htaccess b/core/assets/scaffold/files/htaccess
index b0b55d58649910f20c3f597dc317a81a2ed986e0..4031da475cfb1c94f070ff81037f8bdcd1dd4c00 100644
--- a/core/assets/scaffold/files/htaccess
+++ b/core/assets/scaffold/files/htaccess
@@ -1,9 +1,9 @@
 #
-# Apache/mod_php/Drupal settings:
+# Apache/PHP/Drupal settings:
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|\.user\.ini)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,11 +24,8 @@ AddEncoding gzip svgz
 
 # Most of the following PHP settings cannot be changed at runtime. See
 # sites/default/default.settings.php and
-# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
-# at runtime.
-#
-# PHP only reads settings from this file if it is running as an Apache module.
-# If PHP is running as a CGI script, see .user.ini.
+# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
+# changed at runtime.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>
diff --git a/core/assets/scaffold/files/user.ini b/core/assets/scaffold/files/user.ini
deleted file mode 100644
index 95d89560ff106aa4017430b029619157d8800e91..0000000000000000000000000000000000000000
--- a/core/assets/scaffold/files/user.ini
+++ /dev/null
@@ -1,10 +0,0 @@
-; Most of the following PHP settings cannot be changed at runtime. See
-; sites/default/default.settings.php and
-; Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
-; at runtime.
-;
-; PHP only reads settings from this file if it is running as a CGI script. If
-; PHP is running as an Apache module, see .htaccess.
-
-; Disable PHP assertions.
-assert.active = 0
diff --git a/core/assets/scaffold/files/web.config b/core/assets/scaffold/files/web.config
index 408b16d96fa6b5455b3e6ae38a5236463f86cae1..b769e45e3699a1419572aede8c58da4a50b3c70c 100644
--- a/core/assets/scaffold/files/web.config
+++ b/core/assets/scaffold/files/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json|.user.ini)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>
 
diff --git a/core/composer.json b/core/composer.json
index 05c7c56b12db1af0cb4534927b671b8225619edd..9ae3cab9bee5415398f1cc443919a2524437123f 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -127,7 +127,6 @@
                 "[web-root]/.eslintrc.json": "assets/scaffold/files/eslintrc.json",
                 "[web-root]/.ht.router.php": "assets/scaffold/files/ht.router.php",
                 "[web-root]/.htaccess": "assets/scaffold/files/htaccess",
-                "[web-root]/.user.ini": "assets/scaffold/files/user.ini",
                 "[web-root]/example.gitignore": "assets/scaffold/files/example.gitignore",
                 "[web-root]/index.php": "assets/scaffold/files/index.php",
                 "[web-root]/INSTALL.txt": "assets/scaffold/files/drupal.INSTALL.txt",
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/.user.ini b/core/modules/system/tests/fixtures/HtaccessTest/.user.ini
deleted file mode 100644
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000
diff --git a/core/modules/system/tests/src/Functional/System/HtaccessTest.php b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
index 2a88bf768b13cd4b45c3eddf88862472d0f5a460..09046c446fc9b5a4bb71b5d49b6a53e2bc730ca2 100644
--- a/core/modules/system/tests/src/Functional/System/HtaccessTest.php
+++ b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
@@ -98,7 +98,6 @@ protected function getProtectedFiles() {
     // Ensure web server configuration files cannot be accessed.
     $file_paths["$path/.htaccess"] = 403;
     $file_paths["$path/web.config"] = 403;
-    $file_paths["$path/.user.ini"] = 403;
 
     return $file_paths;
   }
diff --git a/web.config b/web.config
index 408b16d96fa6b5455b3e6ae38a5236463f86cae1..b769e45e3699a1419572aede8c58da4a50b3c70c 100644
--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json|.user.ini)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>