@mlhess wrote on #2508666: Drupal 8 .htaccess rule to prevent php file access can be easily bypassed:
Can we build in a status check for people who may not have htaccess setup correctly. Something that says their site is insecure, like the update notices?
@pwolanin replied:
@mlhess - reliably checking Drupal by trying to make http requests to itself has problems. e.g. see: #965078: HTTP request checking is unreliable and should be removed in favor of watchdog() calls
At this point I wonder if implementing some of these checks client site (i.e. JS) would be more sensible, since clearly the browser can access the site at the point you are viewing a report page.
and @chx replied:
If you do, you need to do it with JS and/or PHP-masquerading-as-image but server-to-server requests have been attempted and failed. There are too many variations to make it work reliably. So please do not try it again :)
This issue will explore creating a solution that works in all cases.