Moving the web root to a more secure loation?

Just come across this project, and trying to set it up for a specific use-case, and it looks great so far.

However, having the whole application - absolutely everything - in the web root feels very old now, and is just asking for security problems further down the line. The fact that so many of the PHP scripts excecute code directly, and aren’t just autoloaded classes that define code for a relatively small number of entry points, leaves me a little uncomfortable.

The .htaccess file tries to hide a lot of the files in the web root by rewriting them to 404s. That’s just a sticking plaster - those fiels should not be in the web root in the first place if they have no business being there.

So, has anyone here ever managed to move the web-accessible files into their own web root, even if just a “public” directory in the main application root? Is it even possible, or are the web-accessible files distributed all over the directory structure?

Sorry if that sounds negative, but this is just my first observation after coming from other modern frameworks (and seeing it work this way in many older frameworks that have all had their own security issues). But can it be done, and has anyone successfuly done it?

Not sure if I’m following you 100%, but the /data/ dir of my NC servers are all far outside of the webroot. It’s an option during setup to change it, and if necessary can be changed after installation too.

1 Like