Plaintext about socialnetwork HOT 8 CLOSED

hmmm so in the end we need a location tag for /apps/config but in the end this is more of a http server configuration issue. we could us a filematch as well and ignore .cfg files.

from socialnetwork.

one solution could be to store the configs and other libs outside document root.
or as @chilimatic mentioned we could block the remote access via webserver configuration.

from socialnetwork.

I would do it via the webserver. but it depends on the "architecture" and the level of security you wanna implement.

if you use a CGI you could allow only the static files to be in the group of the http server and remove the read and execution permission but there are so many ways to solve this.

"Good Ones" with open_basedir and apparmor need some deeper knowledge of the OS.

For the regular case I would recommend a .htaccess solutions since this would be most compatible with shared hosters and such. This is not really secure but the regular case should be covered.

from socialnetwork.

i vote for the .htaccess way too, since its the most convenience way, also because moving configs and other parts outside of document root involves far more changes.

from socialnetwork.

i added a line to .htaccess which blocks remote access to app/config/*

from socialnetwork.

If demo was updated, it's still possible to download the files. www.dasmerkendienie.com/app/config/main.cfg

from socialnetwork.

demo was updated but runs nginx so my .htaccess / mod rewrite hack does not have any effect 👏
i added following line to nginx server config, now all requests should return a 403 Forbidden.

location /app/config {
   deny all;
}

from socialnetwork.

htaccess does not work on nginx it's about the directory parsing which slows it down.
but the common user still uses LAMP with apache that's why the htaccess still should remain.

from socialnetwork.