2
I have a question about Web Server, especially PHP / Apache Server.
A Developer told me and my colleagues that today it is bad to put our Web directory in WWW directory, because it is unsecured (hackers know where to search).
He told us only bad developers put their files in this directory.
But we have to put them in another directory.
Is it true??
Courtin Guillaume
Posted 2016-03-31T14:11:22.377
Reputation: 21
4
That's security by obscurity. In a sane setup with proper permissions, a hacker woudn't even be in your filesystem. If he were and your system was compromised, he could just take a look at your web server config files.
Good fundamentals are always good - there's a reason web servers are run as specific users (www-data), you should always disable root ssh access (and try to work as a regular user w minimal use of sudo), give files the minimal permission settings needed and so on.
Sticking files outside the standard /var/www seems cargo culty to me. There's many reasons to do things other ways (some distros use /srv/www I think), and sometimes having a seperate folder per webapp is a good idea for maintainability. I sometimes have applications that run their own servers, for example and those don't belong on /var/www - say something that runs django would run in its own directory, but this is mostly for maintainability and cause my main web server dosen't need to see those files
I'd ask the developer to explain why this is so anyway, just for a laugh.
Journeyman Geek
Posted 2016-03-31T14:11:22.377
Reputation: 119 122
1A bit obvious perhaps, but any directory you use on your server should be properly secured, regardless of how it is named. – Anaksunaman – 2016-03-31T20:47:23.940