Security considerations – custom configuration

By default application is secured on standard hosting plans that use .htaccess files (like cPanel and DirectAdmin).

This section only refers to custom configuration without support for .htaccess. Like nginx, apache without mod_rewrite.

These configurations would be used mostly on VPS or Dedicated servers, and this page is intended mostly for professionals who operate such environments.

when using custom configuration (without support for htaccess) you must make certain security precautions, that apply to many PHP apps using custom configurations

  • make sure that contents of directory zz_engine could not be accessed by users (via browser)
    examples of files that should not be accessible for user:
    • /zz_engine/zzzz_secuirty_check_file.html
    • /zz_engine/.env
    • /zz_engine/*
  • no hidden files (dotfiles) should be accessible for user
  • install directory should be removed after installation
  • all directories and their content, when they contain .htaccess with “Deny from all” directive
  • files in directory (index of files) should not be displayed via browser