Hello there 
I’m getting this in my system panel on production live site :
But I checked at the root folder and the .htaccess is well here. Revision 2023-07-22
And if I try to access site.ltd/content/site.txt or site.ltd/config/config.php or site.ltd/kirby/bootstrap.php all of it is redirecting my to root as expected.
I wonder where to look at 
Have you checked the following urls:
Hello @texnixe !
Tried all of them and I’m redirected to root all the time. Which is fine I guess.
Right, but also the reason Kirby reports that these urls might be exposed (and Kirby doesn’t say they ARE exposed). Guess if you check the network tab, the response code is a 30x, not a 400.
What I’m wondering, though: Are you redirecting the error page to home somewhere? While Kirby’s .htaccess routes through index.php, the router should then route to the 404 page, at least it does for me locally if I use MAMP (usually using Laravel Herd which uses Nginx under the hood).
Ah yes. In site/templates/error.php I put <?php go($site->homePage()); ?>
Not a good practice? 
Not really, better use a custom error page with good information for the user. Also, a 404 tells bots that a url is outdated.
I see… I’d have loved to see a reference on how to set up a state-of-the-art error page but I’m afraid I can’t see any example in the starterkit, nor in the plainkit nor in the docs or cookbook. 
Any hint on that would be warmly appreciated 
I guess I’ll use $response->code() | Kirby CMS to check if it’s a 404 and then adapt the content in consequence.
Thank you!
Not sure what you mean? The error page in the Starterkit uses error.txt, so you can create a template called error.php and be as creative about that page as you like.
