diff --git a/.htaccess b/.htaccess
index b26c63bb57e2..01c63af981f7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -15,9 +15,6 @@
 # Don't show directory listings for URLs which map to a directory.
 Options -Indexes
 
-# Follow symbolic links in this directory.
-Options +FollowSymLinks
-
 # Set the default handler.
 DirectoryIndex index.php index.html index.htm
 
diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
index e4e7fde44f23..b6a2a9dc246f 100644
--- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php
+++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
@@ -79,8 +79,7 @@ class FileStorage implements PhpStorageInterface {
   public static function htaccessLines($private = TRUE) {
     $lines = <<<EOF
 # Turn off all options we don't need.
-Options None
-Options +FollowSymLinks
+Options -Indexes -ExecCGI -Includes -MultiViews
 
 # Set the catch-all handler to prevent scripts from being executed.
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
diff --git a/core/modules/system/src/Tests/File/HtaccessUnitTest.php b/core/modules/system/src/Tests/File/HtaccessUnitTest.php
index c8599b3af0c9..9f5273c25814 100644
--- a/core/modules/system/src/Tests/File/HtaccessUnitTest.php
+++ b/core/modules/system/src/Tests/File/HtaccessUnitTest.php
@@ -40,8 +40,7 @@ class HtaccessUnitTest extends KernelTestBase {
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
     $this->assertFalse(strpos($content, "Require all denied") !== FALSE);
     $this->assertFalse(strpos($content, "Deny from all") !== FALSE);
-    $this->assertTrue(strpos($content, "Options None") !== FALSE);
-    $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
+    $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
     $this->assertFilePermissions($public . '/.htaccess', 0444);
 
@@ -54,8 +53,7 @@ class HtaccessUnitTest extends KernelTestBase {
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
     $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
     $this->assertTrue(strpos($content, "Deny from all") !== FALSE);
-    $this->assertTrue(strpos($content, "Options None") !== FALSE);
-    $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
+    $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
     $this->assertFilePermissions($private . '/.htaccess', 0444);
 
@@ -68,8 +66,7 @@ class HtaccessUnitTest extends KernelTestBase {
     $this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
     $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
     $this->assertTrue(strpos($content,"Deny from all") !== FALSE);
-    $this->assertTrue(strpos($content,"Options None") !== FALSE);
-    $this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE);
+    $this->assertTrue(strpos($content,"Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
     $this->assertFilePermissions($stream . '/.htaccess', 0444);
 
diff --git a/vendor/.htaccess b/vendor/.htaccess
index 50d210b11ef4..90748bbc9309 100644
--- a/vendor/.htaccess
+++ b/vendor/.htaccess
@@ -8,8 +8,7 @@
   Deny from all
 </IfModule>
 # Turn off all options we don't need.
-Options None
-Options +FollowSymLinks
+Options -Indexes -ExecCGI -Includes -MultiViews
 
 # Set the catch-all handler to prevent scripts from being executed.
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006