Comments (8)
hmmm so in the end we need a location tag for /apps/config but in the end this is more of a http server configuration issue. we could us a filematch as well and ignore .cfg files.
from socialnetwork.
one solution could be to store the configs and other libs outside document root.
or as @chilimatic mentioned we could block the remote access via webserver configuration.
from socialnetwork.
I would do it via the webserver. but it depends on the "architecture" and the level of security you wanna implement.
if you use a CGI you could allow only the static files to be in the group of the http server and remove the read and execution permission but there are so many ways to solve this.
"Good Ones" with open_basedir and apparmor need some deeper knowledge of the OS.
For the regular case I would recommend a .htaccess solutions since this would be most compatible with shared hosters and such. This is not really secure but the regular case should be covered.
from socialnetwork.
i vote for the .htaccess way too, since its the most convenience way, also because moving configs and other parts outside of document root involves far more changes.
from socialnetwork.
i added a line to .htaccess which blocks remote access to app/config/*
from socialnetwork.
If demo was updated, it's still possible to download the files. www.dasmerkendienie.com/app/config/main.cfg
from socialnetwork.
demo was updated but runs nginx so my .htaccess / mod rewrite hack does not have any effect
i added following line to nginx server config, now all requests should return a 403 Forbidden.
location /app/config {
deny all;
}
from socialnetwork.
htaccess does not work on nginx it's about the directory parsing which slows it down.
but the common user still uses LAMP with apache that's why the htaccess still should remain.
from socialnetwork.
Related Issues (20)
- Feature Request : Groups
- Security issue HOT 2
- reauth - dos attack HOT 1
- performance issue with db connection manager HOT 8
- missing files HOT 2
- Must be in root directory? HOT 8
- SocialNetwork – Cross-Site Scripting (XSS) HOT 1
- How should I do the permission part when I run this on Windows10? HOT 2
- http2 preload aka server push HOT 4
- [Composer\Downloader\TransportException] Content-Length mismatch HOT 7
- Fatal error: Uncaught Error: Class 'AltoRouter' HOT 1
- some files missing HOT 2
- Sorry Am writing you this because i don't know how to contact you HOT 1
- not working properly HOT 12
- fb login doesn't work anymore. HOT 1
- Comments HOT 1
- migrating away from bower to yarn HOT 2
- Dark theme
- xss issues
- /public/stream Not Found HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from socialnetwork.