My files are accessible by everybody. I can block access via .htaccess, but I don't know which files | Laravel | Page 1

toxic forge Apr 17, 2023, 9:42 PM

#

mysite.com/blog
is serving laravel's root dir.

You need to remap it so it serves laravel's
public/
and default to index.php

#

yes but probably not hardcode index.php

because if you need to access other files in /public the path will get messed up

ex: you have images in /public/images/

if you hardcode it will try to access /public/index.php/images/...

So make index.php the default when a path isn't specified.

median basin Apr 17, 2023, 9:51 PM

#

@hollow elbow You shouldn’t be using .htaccess to block access. You should just be installing your application properly in the first place. The app directory, your .env file, etc should be outside of your public root.

#

If your public directory is named public_html and your host won’t let you change it, then you can rename public to public_html in your application, and tell Laravel that’s the new name of the directory like this: https://laracasts.com/discuss/channels/laravel/laravel-10-change-public-folder-to-public-html-on-shared-server?page=1&replyId=875340

#

In the meantime, change any API keys and secrets in your .env file, because if it’s been publicly-accessible then you should consider it and your keys compromised.

violet pelican Apr 17, 2023, 10:09 PM

#

Along with changing the database password/username, because those are now compromised too. And yes, everything connected to the internet is scanned, especially if there's endpoints like /.env

median basin Apr 17, 2023, 10:13 PM

#

The APP_KEY is your application’s encryption key. It’s used for things like encrypting cookies, so yes, it’s a big deal if you’ve leaked it.

#My files are accessible by everybody. I can block access via .htaccess, but I don't know which files