Skip to content

Which Hypernode features would you like to see?

← Hypernode features

The /vendor folder blocked by Nginx

It's more that I'm curious about other people's thoughts about this. Should the /vendor/ folder (where Composer places it's dependencies) be denied access by default?

I today found a publicly accessible vendor folder on a just migrated webshop (it had a .htaccess inside /vendor/ to deny access, but Nginx of course ignores it).

7 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Mark van der Sanden shared this idea  ·   ·  Report…  ·  Admin →

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Jeroen Boersma commented  ·   ·  Report

    I have my Magento installations installed in htdocs and thereby placing composer files outside the document root.

    Ofcoarse this means I've linked /public to this location, but security wise I would never run in problems like these

  • Mark van der Sanden commented  ·   ·  Report

    @sander That would be very confusing for first time users of the Hypernode platform and would generate a lot of support questions.

    I think /composer.lock, /composer.json and /vendor/composer/ are the most important to deny access to and would not lead to any confusion because nobody ever has a reason to request these files from a browser.

  • Sander Mangel commented  ·   ·  Report

    sounds good, I'm all in favor.Maybe even have turn it around and only make the root, media, js and skin accessible.

  • Mark van der Sanden commented  ·   ·  Report

    This also counts for /composer.lock and /composer.json by the way. I cannot think of any reason why you would like these files publicly accessible.

Hypernode features

Categories

Feedback and Knowledge Base

(thinking…)