diff --git a/.htaccess b/.htaccess
index b26c63bb57e23e8c498c40aa3bd7830c8583f798..01c63af981f73adcbdf6c2e3381c1ab6808cee78 100644
--- a/.htaccess
+++ b/.htaccess
@@ -15,9 +15,6 @@
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
-# Follow symbolic links in this directory.
-Options +FollowSymLinks
-
# Set the default handler.
DirectoryIndex index.php index.html index.htm
diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
index e4e7fde44f23c0fc72edf8e931024a5ae4f21065..b6a2a9dc246f94e90196dd74bd857e1d69f31e3b 100644
--- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php
+++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
@@ -79,8 +79,7 @@ public function save($name, $code) {
public static function htaccessLines($private = TRUE) {
$lines = <<<EOF
# Turn off all options we don't need.
-Options None
-Options +FollowSymLinks
+Options -Indexes -ExecCGI -Includes -MultiViews
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
diff --git a/core/modules/system/src/Tests/File/HtaccessUnitTest.php b/core/modules/system/src/Tests/File/HtaccessUnitTest.php
index c8599b3af0c9904bfffdbe03cd202354125ac13a..9f5273c258142a026cc976e5de835689544c37ec 100644
--- a/core/modules/system/src/Tests/File/HtaccessUnitTest.php
+++ b/core/modules/system/src/Tests/File/HtaccessUnitTest.php
@@ -40,8 +40,7 @@ function testHtaccessSave() {
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
$this->assertFalse(strpos($content, "Require all denied") !== FALSE);
$this->assertFalse(strpos($content, "Deny from all") !== FALSE);
- $this->assertTrue(strpos($content, "Options None") !== FALSE);
- $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
+ $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
$this->assertFilePermissions($public . '/.htaccess', 0444);
@@ -54,8 +53,7 @@ function testHtaccessSave() {
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
$this->assertTrue(strpos($content, "Require all denied") !== FALSE);
$this->assertTrue(strpos($content, "Deny from all") !== FALSE);
- $this->assertTrue(strpos($content, "Options None") !== FALSE);
- $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
+ $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
$this->assertFilePermissions($private . '/.htaccess', 0444);
@@ -68,8 +66,7 @@ function testHtaccessSave() {
$this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
$this->assertTrue(strpos($content, "Require all denied") !== FALSE);
$this->assertTrue(strpos($content,"Deny from all") !== FALSE);
- $this->assertTrue(strpos($content,"Options None") !== FALSE);
- $this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE);
+ $this->assertTrue(strpos($content,"Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
$this->assertFilePermissions($stream . '/.htaccess', 0444);
diff --git a/vendor/.htaccess b/vendor/.htaccess
index 50d210b11ef4e1854f09a27f4b19a81d28edadee..90748bbc93099df3f75781376c61198eb3d92983 100644
--- a/vendor/.htaccess
+++ b/vendor/.htaccess
@@ -8,8 +8,7 @@
Deny from all
</IfModule>
# Turn off all options we don't need.
-Options None
-Options +FollowSymLinks
+Options -Indexes -ExecCGI -Includes -MultiViews
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006