Cakephp, App's folder not in the webroot why?

Question

Why store the CakePHP files outside of the webroot?

For example, this is the way way that I have always been told to do it.

/home/username
  /app
  /cake
  /public_html
      index.php

I know its because of security, but why? its not like the users can view files in the /app/ folder anyways. The htaccess prevents that correct?

If the user was able to get a malicious script on my webserver it wouldn't matter if the /app/ folder was in the /public_html/ or outside of the webroot, they would still alter the files under the /app/ folder, right?

So why bother?

score 1 · Accepted Answer · answered Jan 25 '10 at 02:07

1

Why take the risk? If they are not in the webroot they can never be served by Apache by mistake. Sure it shouldn't make a difference but it goes against the Principal of Least Privilege.

Also you would normally want to have your public folder as the root of the URL, sending people to www.example.com/home/username/public_html looks a bit naff?

answered Jan 25 '10 at 02:07

Jon Rhoades

4,989
3
30
47

the fewer files that people have access to , the simpler your access logs will be. – djangofan Sep 17 '10 at 22:36

Cakephp, App's folder not in the webroot why?

1 Answers1