jimallman
commented
9 years ago I'm marking this as an enhancement, since we can use an .htaccess file to protect this. Beyond that, our root-relative URLs for images, style, etc. already force the web root to the directory holding all FCDB pages, so this file should fall outside of publicly-accessible space.
Our PHP pages currently assume this is in the parent directory (above all FCDB pages) and that this means it's safe outside the web root. But this will not always match the setup on a given server. We should make the location of
config.phpconfigurable or take additional steps to secure it.