Home Forums Support Protecting a Self-Hosted install?

This topic contains 3 replies, has 3 voices, and was last updated by  TheShniz 3 weeks ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #22571

    TheShniz
    Participant

    Are there any server-level protections that are recommended for Self-Hosted installs?

    Using WordPress as an easy example, it is strongly recommended to deny access to /wp-admin and wp-login.php for your standard, everyday WordPress install… I’m playing with Invoice Ninja for the first time and have everything working as prescribed, and just want to make sure I’m limiting any exposure to the public that does not need to be there (meaning, our sales people are all sitting in the same building where they site is being self-hosted – but still want to maintain the client portal).

    Thank you for the wonderful gem that is Invoice Ninja!
    – J

    #22572

    Titanfail
    Participant

    Biggest one I can think of applies to pretty much any Laravel application. That is, make sure that DocumentRoot points to /<YourInvoiceNinjaPath>/public rather than /<YourInvoiceNinjaPath (if you can access the site via http://your.url alone, then you should be okay).

    If you don’t set it up this way, then that leaves your .env file open to anyone who knows the address, and they can simply go to http://your.url/.env and see all of your credentials. You’d be surprised just how many Laravel applications are live with this exact configuration flaw.

    #22584

    Hillel Coren
    Keymaster

    I agree the best setup is to map your root to /public however if you don’t the .htaccess file should prevent the .env file from being viewable.

    #22622

    TheShniz
    Participant

    Alrighty, that was the confirmation I was looking for then! Indeed I’ve got the document root pointing to /public and just wanted to make sure. Thank you again guys!

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Posted in: