Magento Security Scan
The magento security scan is a free tool. It flags up common issues on M2 installs such as missing 2FA, missing recaptcha and any suspicious looking scripts.
However, there are are a lot of issues that magento creates that you need to solve. The first being that it includes a publicly available .user.ini file in the root directory.
How do I know if I am impacted by this?
You will see this error in your magento security scan:
We have determined that your installation's configuration file(s) are publicly accessible over HTTP.'.user.ini'
How do I fix magento .user.ini issue?
While you could remove the file and add it to .gitignore - there is a good chance that Magento will reintroduce the file with a composer update later down the line.
The best solution is to exclude it at the nginx level with a simple deny statement:
location ~ \.user\.ini$ {
deny all;
}This small change ensures that this file will never be presented to the public.