I am just launching a Kirby site on our Runcloud hosting - The hosting is setup on a NGINX/Apache2 Hybrid stack (Allows .htaccess to be used).
My Kirby panel warns me my content folder is exposed even though I have all the default Kirby .htaccess settings including RewriteRule ^content/(.*) index.php [L]
Its because everythings in the web root, ie the public or www or whatever your host has called it. If your host allows you to you, you can place those folders outside of the public area which increases security.
How does this look like and where does it come from? I have Apache with a standard Kirby setup and never see such warning. Knowing the source where this warning is triggered might help finding the reason.
Maybe you need to dive deeper into the settings of your provider. Citing their docs:
By using this stack, your static files (eg: css,js,images,fonts) will be served by NGINX. If it is PHP, NGINX will pass it to Apache2 and the request will be passed to PHP-FPM.
For me, this means that requests for static files will not be served by Apache and thus no evaluation of its .htaccess rules. The rules therein will only be taken into account if .php files are requested. However, the sense of Kirby’s .htaccess file is to redirect all requests pertaining to any file in the site, kirby or content folder to the main index.php which serves as a dispatcher.