Magento 2: "Your web server is set up incorrectly and allows unauthorized access to sensitive files. Please contact your hosting provider"

This check says that anyone can access to app/etc/* files. For example the app/etc/env.php file that stores credentials to DB, crypt key, and other resources.

The better solution is to configure your pub folder as the web root instead of the default installation directory, usually magento2, as specified in most install docs. This will improve overall security and fix you problem. Be sure to edit your other Apache/Nginx location definitions as well. For Nginx, the $MAGE_ROOT directive should be /var/www/example.com/magento2/pub, and so should your root directive. Be sure to flush your cache after making the change as well, otherwise images and css files will be broken (System -> Tools -> Cache Management -> Flush Magento Cache).

\Magento\AdminNotification\Model\System\Message\Security is responsible for this functionality. See the _isFileAccessible method.

It will surely risk Magento store.


If you are using Apache, make sure that the .htaccess file that is included with magento in the /app/ folder is present on your web server, and that Apache is configured to use .htaccess files to override settings per folder, but this should be enabled by default.

The content of this file is supposed to be:

<IfVersion < 2.4>
    order allow,deny
    deny from all
</IfVersion>
<IfVersion >= 2.4>
    Require all denied
</IfVersion>