安全性:我应该将供应商目录和 composer.json 移到文档根目录之外吗? [英] Security: Should I move vendor dir and composer.json outside of document root?
问题描述
- 刚开始与作曲家合作.
在我的
<documentroot>/vendor/目录中安装了一些带有 composer 的东西.
- Just started working with composer.
Installed some stuff with composer into my
<documentroot>/vendor/dir.
现在,每个人(每个黑客)都可以在阅读我的 composer.jsonhttp://foo.tld/composer.json
然后他们就知道安装了哪些软件.然后他们可能会使用 http:/之类的 URL 来探测我的 <documentroot>/vendor/ 目录/foo.tld/vendor/symfony/.
Then they know, which software is installed. Then they may probe my <documentroot>/vendor/ dir with URLs like http://foo.tld/vendor/symfony/.
我该怎么办?
a) 我可以:
chmod 0600 composer.json- 将
.htaccess放入供应商目录,以拒绝所有访问
chmod 0600 composer.json- put a
.htaccessinto the vendor dir, to deny all access
b) 将供应商目录移到文档根目录之外(这在共享主机环境中并不总是可行的.
b) Move the vendor dir outside the document root (which is not always possible in shared hosting environments.
推荐答案
你应该把它移出 DOCUMENT_ROOT.
You should move it out of DOCUMENT_ROOT.
框架应用程序的通常结构是顶级目录(包含内容以及 composer.json 文件)不是 DOCUMENT_ROOT.通常有一个专门的目录,里面可能命名为public"或htdocs",其中包含the"中央 index.php 文件旁边的所有常用资产(CSS、JS、图片).
The usual structure of a framework application is that the top level directory (containing stuff and also the composer.json file) is NOT the DOCUMENT_ROOT. There usualls is a dedicated directory for this, maybe named "public" or "htdocs" inside that contains all the usual assets (CSS, JS, pics) next to "the" central index.php file.
如果您无法通过共享主机获得该布局,您可能应该继续,因为您无法隐藏文件以防止直接 HTTP 访问.
If you can't get that layout with a shared hosting, you probably should move on, because you cannot hide files from direct HTTP access there.
这篇关于安全性:我应该将供应商目录和 composer.json 移到文档根目录之外吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
