/sites/default/settings.php has
$update_free_access = FALSE;
However, anonymous user can go on my site to mysite.com/update.php to run db updates. I am logged out of my site and tried on several browsers on several machines. I have tried updating my settings.php page and even removed it and then re-uploaded it but same issue. I also tried clearing the caches to no luck.
I had previously made no changes to my site and today I see the error message in my reports section:
ACCESS TO UPDATE.PHP
Not protected
The update.php script is accessible to everyone without authentication check, which is a security risk. You must change the $settings['update_free_access'] value in your settings.php back to FALSE.
I have searched and found similar issue for drupal 7 and previous but no solid resolution: https://www.drupal.org/project/drupal/issues/1207074
I currently have 8.5.4 installed.