Add htaccess rules to prevent sensitive folder/files access ?

[LoganTann]

New issue

Your environment

Please answer these questions when reporting a new issue:

What is your operating system (Windows, Linux, OSX, etc.)? : Ubuntu Server 20.04

What is your web server (Apache, IIS, etc.)? : Apache

What version of AllTube are you using? : branch develop, commit 835170f

How did you install AllTube (with Git or with a release package)? : git

What version of PHP are you using? : 8.1

What version of Python are you using? : 3.8.10

What version of youtube-dl are you using? : 2020-03-24

Do you get any PHP-related errors in your webserver's logs?: no

What is the content of your config/config.yml file? : same config as #384

Please provide the URL of a video that causes the issue. : not related

Describe your issue

It isn't possible to access the .git folder, but requesting http://alltube.<domain>/.git/HEAD will work. Since the git folder haves a well known structure, it is possible to copy the whole local repository. Leaving the git folder accessible in prod is a security issue (see https://gaurav5430.medium.com/web-security-exposed-git-folder-in-production-51ad9484dee0)

It is the same for the config file. I think this is a good idea to add a rule in the htaccess file that will prevent some sensitive files/folder to be accessed through apache

[Rudloff]

The app is open-source so the information that would be displayed is already public, but I agree it is a good practice to prevent access to the .git/ folder. Do you want to submit a PR that adds this rule to .htaccess?