安全性:我应该将供应商dir和composer.json移到文档根目录之外吗? [英] Security: Should I move vendor dir and composer.json outside of document root?
问题描述
- 刚刚开始与作曲家合作。
-
使用Composer将一些东西安装到我的
< documentroot> / vendor /
目录中。
现在,每个人(每个黑客)都可以在
<下读取我的 composer.json
a href = http://foo.tld/composer.json rel = noreferrer> http://foo.tld/composer.json
Now, everybody (every hacker) can read my composer.json
at
http://foo.tld/composer.json
然后他们知道安装了哪种软件。然后,他们可以使用< documentroot> / vendor / 目录noreferrer> http://foo.tld/vendor/symfony/ 。
Then they know, which software is installed. Then they may probe my <documentroot>/vendor/
dir with URLs like http://foo.tld/vendor/symfony/.
我应该做什么
a)我可以:
-
chmod 0600 composer.json
- 将
.htaccess
放入供应商目录,以拒绝所有访问
chmod 0600 composer.json
- put a
.htaccess
into the vendor dir, to deny all access
b)将供应商目录移到文档根目录之外(在共享托管环境中并不总是可能的。)
b) Move the vendor dir outside the document root (which is not always possible in shared hosting environments.
推荐答案
您应该将其移出DOCUMENT_ROOT。
You should move it out of DOCUMENT_ROOT.
框架应用程序的通常结构是:顶层目录(包含内容和composer.json文件)不是DOCUMENT_ROOT。通常有一个专用目录,其中可能名为 public或 htdocs,其中包含所有常规资产(CSS,JS,图片)旁边的中央 index.php文件。
The usual structure of a framework application is that the top level directory (containing stuff and also the composer.json file) is NOT the DOCUMENT_ROOT. There usualls is a dedicated directory for this, maybe named "public" or "htdocs" inside that contains all the usual assets (CSS, JS, pics) next to "the" central index.php file.
如果您无法通过共享主机获得该布局,则可能应该继续前进,因为您无法在此处隐藏来自直接HTTP访问的文件。
If you can't get that layout with a shared hosting, you probably should move on, because you cannot hide files from direct HTTP access there.
这篇关于安全性:我应该将供应商dir和composer.json移到文档根目录之外吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!