Configure your webserver correctly

James Cole edited this page Jan 9, 2018 · 3 revisions

If you followed a link from your Firefly III installation to this page, please read the following notice carefully. It looks as if you have configured your webserver to serve Firefly III from the following directory /firefly-iii/. It must be /firefly-iii/public/.

There are a few security issues that may happen when you do not change the document-root of your web server to /firefly-iii/public/:

  1. You are exposing your .env file which contains your database username and password. This means an attacker could steal all your financial data. Even when it is encrypted, because the .env file also contains the encryption key.
  2. You are exposing your storage directory which contains all of your file uploads and import data. This means that an attacker can steal your bank files, attached PDF files (salary info, bills, receipts) and other sensitive data.
  3. You are exposing your session storage directory. This means an attacker can impersonate you and read all your data at their leisure.

Please correct this as soon as possible!

But how?


Create a file called .htaccess in the /storage/ directory and give it the following content:

Options All -Indexes
Deny from all

That should fix it.

Other webservers and more help

You can Google more instructions for Apache and nginx. Other instructions can be Googled as well.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.