Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create .htaccess file #1093

Merged
merged 1 commit into from
Jan 6, 2018
Merged

create .htaccess file #1093

merged 1 commit into from
Jan 6, 2018

Conversation

jinformatique
Copy link
Contributor

Changes in this pull request:

  • To force HTTPS
  • To hide directory listing
  • To prevent access to .env and other files

@JC5

create .htaccess file
c1221ae 
- To force HTTPS
- To hide directory listing
- To prevent access to .env and other files
@jinformatique
Copy link
Contributor Author

I hope this makes sense. I noticed that someone could access my .env file simply going to the URL:
https://<website.com>/firefly-iii/.env

@JC5
Copy link
Member

JC5 commented Jan 4, 2018

Nice! I see a few things I would do differently rhough:

  1. The change-over to https is useful but should be commented out by default. A lot of people use reverse proxies which do not support https by default.
  2. Shouldn't it be enough to redirect the user to /public/ using a Permanent Redirect? If people put the entirety of Firefly III into a publicly accessible directory (this is a bad idea btw because all your fils and session data are open to the world as well) then they should always end up in /public/ if they visit /.

I've updated your pull request to go to the develop-branch.

@JC5 JC5 changed the base branch from master to develop January 4, 2018 13:47
@jinformatique
Copy link
Contributor Author

Yes ok, the thing is to test if visiting /firefly-iii/.env does the redirect to /public/ as well.
The main point is to avoid revealing the .env file to internet.

@JC5
Copy link
Member

JC5 commented Jan 5, 2018

Yes, if it gives a 403 it's OK.

Keep in mind that your storage-directory is also open to the internet (with or without htaccess file) and this is not good.

@JC5 JC5 merged commit f13f378 into firefly-iii:develop Jan 6, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jinformatique @JC5