By default, opening /console shows the PHP source, which is a bit ugly.
The default .htaccess file should return 403 for this path.
Not sure but AFAIK we don't put an htaccess file into the root folder eg because users might have their own htaccess defined there. I might be wrong though.
Couldn't we just use
(PHP_SAPI !== 'cli') && die('cli only'); ? Or is the problem, that the file does not get interpreted because it has no
Or is the problem, that the file does not get interpreted because it has no .php ending?
exactly. The source is public anyway though so it is not much of a problem.
Exactly, this isn't that less about security (as everyone can already knows the content), but more about not showing URLs that can be confusing to the user or appear broken.
The same could be said about all other files in the root directory (composer.json, etc.)
Well I dont see a good method to provide a .htaccess now without breaking existing installations.
Personally I would close this issue. If someone is concerned about it, they can block it in their htaccess or webserver. We're not showing the URLs to users so they shouldn't get confused IMO