Ever feel annoyed by .htaccess files showing up in your Drupal project, only to realize that Nginx (or IIS, or any non-Apache server) ignores them? I know I do.
Those files aren't empty stubs—they pack all the usual Drupal rules (security guards, PHP-execution blocks, directory-listing bans, etc.). Great for Apache, but total clutter elsewhere—and sometimes they even throw obscure errors during deploys or status checks.
Good news!
As of Drupal 11.3.0, you can stop that auto-creation in its tracks. Just add this to your settings.php:
$settings['auto_create_htaccess'] = FALSE;
Now Drupal won't drop .htaccess files where you don't need them. Your repo stays clean, your CI logs stay quiet, and you'll never chase random htaccess warnings again.
If your Nginx (or IIS) config was already handling script blocking, directory-listing prevention and any custom rewrites, you're all set—nothing else changes. If you haven't locked down those directories yet, take a quick look at Drupal's filesystem security guide before flipping the switch.
And let's be honest: this issue was first opened in 2009—and only now, in 2025, has it finally been resolved. It's wildly frustrating to see core development move at such a glacial pace, waiting years for what should have been a simple toggle.
That's it—non-Apache devs, rejoice! Flip the switch, keep your codebase tidy, and let your web server handle what it does best.