Issue #2779833 by iryston, amar.deokar, poker10: Fix Drupal 7 .htaccess to protect .orig and .save files from view

Issue #2768921 by izmeez, mcdruid, Pere Orga, jfhovinne, alexpott, Fabianx, David_Rothstein, coltrane, dawehner, catch, david_garcia, xjm, pwolanin, greggles, larowlan, mlhess: Backport server configuration code from SA-CORE-2016-003 to Drupal 7

Issue #3047412 by mcdruid, Chi, beckydev, DKAN, alexpott, sammuell, rabbitlair, longwave, greggles, interX: Block web.config in .htaccess (and vice-versa)

Issue #1599774 by longwave, ben.bunk, Rob C, stefan.r, David_Rothstein, BTMash, kristofferwiklund, marcingy, mpdonadio, DuneBL, serundeputy, Letharion, quicksketch, alexpott, J-Lee, Morbus Iff: Drupal fails to boot with 503 error and .htaccess protections do not work on Apache 2.4 without mod_access_compat

Issue #2847325 by sammuell, John Morahan, mfb, sanduhrs, D34dMan, C_Logemann, xumepadismal, serg2, walterebert, David Grudl: Support RFC 5785 on Apache by whitelisting the .well-known directory

Issue #2392153 by mparker17, hussainweb, chris.smith, alexpott, dawehner: Disallow composer.json and composer.lock from being indexed

Issue #462950 by pwolanin, Pere Orga: Mitigate the security risks that come from IE, Chrome and other browsers trying to sniff the mime type

Issue #1962780 by David_Rothstein, petyovsky: Fixed 500 Internal server error on Apache 1.x servers after updating to Drupal 7.22.

Issue #1733476 by greggles, BMDan: Fixed Make default htaccess rules protocol sensitive to avoid man-in-the-middle-attacks if users don't fully customize the rule.

Issue #76824 by geerlingguy, xjm, droplet, kbahey: Change notice for Drupal should not handle 404 for certain files.

- Patch #1116416 by Kars-T, Coornail: use 'Header set' instead of 'Header append' in .htaccess to avoid double encoding.

- Patch #1110810 by JohnAlbin, TR: CVS $ tag lurks in .htaccess file (and other dank corners of Drupal).

- Patch #919596 by boombatower: -MultiViews in .htaccess requires odd AllowOverride Options=All,MultiViews.

#348448 follow-up by mfb: Remove default E_STRICT error reporting. We're too far into the release cycle for changes like this. Let's pick it up again in Drupal 8! :)

- Patch #348448 by mfb, c960657, marvil07, cdale, jpmckinney: fixed PHP strict warnings when running tests and for PHP 5.3.

- Patch #352180 by Garret Albright, wrwrwr: better multi-site friendly 'www' addition/removal in .htaccess.

#289120 by jastern: Set magic_quotes_sybase = 0 to prevent default php.ini settings from double-quoting JavaScript in Drupal.

- Patch #308834 by c960657: move setting of magic_quotes_runtime out of settings.php because (i) we don't want a user to change it and (ii) it gets executed a bit earlier in the Drupal bootstrap.

- Patch #217170 by maartenvg, rbiffl: boolean PHP settings are best set with php_flag instead of php_value.

- Patch #150245 by webchick, bjaspan, ralf, Arancaytar et al: move the .schema files into .install files to prevent mistakes.

- Patch #144634 by chx: fixed critical bug that prevented language negotiation to work after/when drupal_goto() is called.