If you are running Drupal version 8.6.2, and Drupal detects something wrong with your .htaccess file in your public files/ directory, it gives this error in Reports > Status Report:
Public files directory
Not fully protected
See https://www.drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /.../files directory to help protect against arbitrary code execution.
However, the page linked to, https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-..., lists this security notice as applying to Drupal versions 6.x and 7.x, and contains no information specifically indicated as instructions for version 8.x.
This is ambiguous and confusing.