Geek Answers Handbook

How to hide configuration files from direct access?

I am using Laravel for a web application. We uploaded everything to production and found out that some files can be directly accessed via url - for example, http://example.com/composer.json

How to avoid direct access?

+16
source share
10 answers

You are using the wrong web server configuration. Direct your web server to the public directory and restart it.

For Apache, you can use the following directives:

 DocumentRoot "/path_to_laravel_project/public" <Directory "/path_to_laravel_project/public">

For nginx you should change this line:

 root /path_to_laravel_project/public;

After that, all Laravel files will no longer be accessible from the browser.

+28
source

This is not true. composer.json is outside the public directory and therefore should not be accessible. This means that your VirtualHost configuration is incorrect.

Please make sure your path to your directory ends with /public .

+2
source

Direct the web server to the shared directory in the project root folder

 project root folder/public

but if you don’t have a shared folder and you are already pointing to the root folder, you can deny access by writing the following code in the .htaccess file.

 <Files ".env"> Order Allow,Deny Deny from all Allow from 127.0.0.1 </Files>

in the above code, we first refuse all and allow only from our own server (localhost to the server) to run, and therefore we can protect it from external users.

+1
source

Set the document root as the public directory, so other files will not be directly accessible. Look for it in your Apache / nginx / ??? configuration files.

0
source

It depends on your web server. With Apache, these will be .htaccess files, while with Nginx it will be processed in the server configuration file.

0
source

You can also refuse .htaccess files.

 <Files "composer.json"> Order Allow,Deny Deny from all </Files>
0
source

With Apache, you can create a .htaccess file in the root directory of a Laravel project to overwrite all requests in the public / directory.

 <IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^(.*)$ public/$1 [L] </IfModule>
0
source

Direct your web server to a shared directory and restart it.

For Apache, you can use these directives:

 DocumentRoot "/path_to_laravel_project/public" <Directory "/path_to_laravel_project/public">

You can also deny files in .htaccess.

 <Files "composer.json"> Order Allow,Deny Deny from all </Files>

for multiple files, you can add the tag above the files several times to .htaccess files.

0
source

just create empty

index.php

in the configuration directory and write a message in the file how you want to tell the user acccessor

ex. access denied by server

-1
source

For apache 2.4 or higher use

 <Files "web.config"> Require all denied </Files>
-1
source

More articles:


All Articles