Darkle composer.json can only be exposed if you don't use the included public folder. Our official documentation shows which lines need to be uncommented to enable additional rules for those https://docs.flarum.org/install.html#customizing-paths
clarkwinkelmann Of course! I hadn't thought about it, it's too obvious that I'm like a zombie when installing... 
@clarkwinkelmann my htaccess is uncommented, why I have this issues?
Justoverclock if you are using Apache, check that htaccess files and mod rewrite are enabled.
If you are using Nginx, there are commented lines in the included nginx config. If you're using a different webserver, you need to write your own blacklist.
clarkwinkelmann i have sitegroud (supposed to be Apache as web server and Nginx as reverse proxy). i have uncommended line on nginx config and uncommented line on htaccess....
Justoverclock I'd suggest trying to contact your hosting support, this is something they should be able to figure out easily.
All my tool can do is tell what it can access when it shouldn't
clarkwinkelmann i'm with support right now....
anyway i have this:
https://www.siteground.com/blog/nginx-direct-delivery/
edit: they told me that mod rewrite is enabled....
thats my htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
# Ensure the Authorization HTTP header is available to PHP
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Uncomment the following lines if you are not using a `public` directory
# to prevent sensitive resources from being exposed.
RewriteRule /\.git / [F,L]
RewriteRule ^auth\.json$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]
RewriteRule ^config.php$ / [F,L]
RewriteRule ^flarum$ / [F,L]
RewriteRule ^storage/(.*)?$ / [F,L]
RewriteRule ^vendor/(.*)?$ / [F,L]
# Pass requests that don't refer directly to files in the filesystem to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
</IfModule>
# Disable directory listings
Options -Indexes
# MultiViews can mess up our rewriting scheme
Options -MultiViews
# The following directives are based on best practices from H5BP Apache Server Configs
# https://github.com/h5bp/server-configs-apache
# Expire rules for static content
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/vnd.api+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/calendar "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
ExpiresByType text/markdown "access plus 0 seconds"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
ExpiresByType application/wasm "access plus 1 year"
ExpiresByType font/collection "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType font/otf "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/ttf "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType font/woff2 "access plus 1 month"
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
</IfModule>
# Gzip compression
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/collection" \
"font/eot" \
"font/opentype" \
"font/otf" \
"font/ttf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
</IfModule>
# Fix for https://httpoxy.org vulnerability
<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>Justoverclock my unscientific method to troubleshooting htaccess files is to just write garbage in the <IfModule mod_rewrite.c> block. If the website returns a 500 error, it means the htaccess and rewrite mod are working. If the website doesn't crash, it means Apache is ignoring the file.
we are into it with @[deleted] (precious help for me) 
Justoverclock I've worked out why the rewrites aren't working. Siteground listens with NGINX, then passes back to Apache for processing. It most cases, the nginx.conf and .htaccess should do all of the work, but they are being IGNORED ! I have proven this by renaming both files, and the site still functioned even after clearing the cache 
As a workaround, I have had to configure URL security which seems to work. The grade is now capped at C, but by the time I'm done, it should be at least A
after @[deleted] tweak, now we have an A+ 
Here's the new result of the Flarum Lab scan
https://lab.migratetoflarum.com/scans/5d453d52-1c59-4b1e-b77c-dc3421cb2a7a
Following askvortsov suggestion, I implemented gzip support and reporting to the Lab.
This means the Lab will now accept gzip for all requests, which can potentially speed up the scan for websites hosted on slower connections or on the other side of the globe (all requests are made from a DigitalOcean Droplet in Germany).
The Lab will also show show whether gzip is supported in the "Assets size" box and how much bandwidth you are saving.
If the server doesn't support gzip, a message will appear in the same box with recommendations on how to enable it.
The Lab has been experiencing technical issues these last few days. Not sure why yet, but it's constantly running out of memory. Might be too popular!
I'll try to move it to a new server in the coming days, so don't worry if you see it offline for a while. I'm keeping it online for now but if it gets too unstable I'll switch it to maintenance mode.
About this (image), I have uncommented in my nginx.conf gzip: on; the message still appears and the size of the files is the same, should I do something else? I've done some research and I can't find anything regarding file compression.
Darkle Have you restarted your nginx process to apply the config changes?
askvortsov Yes, I did a typical sudo systemctl restart nginx
Darkle are you using the nginx configuration provided by Flarum or your own? The lab only checks the javascript files for gzip compression. Your default configuration might only include images or other resources.
You can see in the Requests section which files were retrieved for the test. You can try accessing those files in your browser and check in the browser network tab whether they were compressed (looking at the headers).
clarkwinkelmann I was using my own nginx.conf to handle multiple sites and redirects on the same server, I checked the included with Flarum and the #Gzip compression section had a lot more stuff, I copied it into my nginx.conf and it works perfectly. Thank you
If anyone also has their own nginx.conf file and is wondering what to include here it is:
# Gzip compression from /var/www/flarumES/.nginx.conf
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;