Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Why it is always recommended to place framework files outside of the public root ?
Given that sometimes a framework doesn’t have .ini or .inc files that can be opened by a browser.
Well, there is definitely nothing to be gained from placing framework sources inside the web root. Since the choice of where to place the file is therefore free, it’s only logical to go with the principle of least privilege: you don’t need web access to these files, so you won’t get it.
A more concrete reason is that framework sources can easily disclose the brand and version of a framework being used on a website (although this information can also usually be gained by examining the generated content); this in turn can make it easier for malicious users to exploit known or newly discovered vulnerabilities.