Closed ddmler closed 8 years ago
Step #8. Enable/Install Apache mod_access so that intruders can not open the *.inc files (shows full code as text file if not disabled). Add the following to either apache global config, or vhost/directory, or .htaccess
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
That's what this step solves. It blocks all *.inc files from being opened directly. I will look in to alternative options.
Sorry didn't see that. But then there is the point that the installation should not be needlessly complicated in my opinion. If all files are .php this step could be removed. :)
Good point. I will look in to a easier and better way to handle the need I felt for the *.inc file format.
Thanks! Love getting feedback!
Done! Thanks again for the advice.
I also added a simple script to block files from being opened directly. If they are opened directly the user is redirected to the main site page.
Most webservers will print out the content of a .inc file by default. Which means if anyone requests the file: UserApplePie/models/db-settings.inc they get all the database credentials. To fix this: a) append .php or b) remove .inc and append .php