Security: Should I move vendor dir and composer.json outside of document root?

问题

1. Just started working with composer.

2. Installed some stuff with composer into my <documentroot>/vendor/ dir.

3. Now, everybody (every hacker) can read my composer.json at http://foo.tld/composer.json

4. Then they know, which software is installed. Then they may probe my <documentroot>/vendor/ dir with URLs like http://foo.tld/vendor/symfony/.

What should I do?

a) I could:

• chmod 0600 composer.json
• put a .htaccess into the vendor dir, to deny all access

b) Move the vendor dir outside the document root (which is not always possible in shared hosting environments.

回答1:

You should move it out of DOCUMENT_ROOT.

The usual structure of a framework application is that the top level directory (containing stuff and also the composer.json file) is NOT the DOCUMENT_ROOT. There usualls is a dedicated directory for this, maybe named "public" or "htdocs" inside that contains all the usual assets (CSS, JS, pics) next to "the" central index.php file.

If you can't get that layout with a shared hosting, you probably should move on, because you cannot hide files from direct HTTP access there.

回答2:

You mention Symfony in your example link. If you're using Symfony, if your project is in .../project, then your document root is .../project/web and that's what you tell Apache or the server you're using to use. Everything else is your "app" (let's call it that) and it doesn't need to be provided to the public.

来源：https://stackoverflow.com/questions/23579984/security-should-i-move-vendor-dir-and-composer-json-outside-of-document-root