Home > Back-end >  Fat free framework - prevent direct access to html files
Fat free framework - prevent direct access to html files

Time:01-03

I'm wondering if there is any good way to prevent direct access to html files in Fat Free Framework...

So the intended way would be to call a route like /login. However, with the default configuration, users could also access /ui/login.html and get the html file directly, eventually displaying {{@variable}} content, which users shouldn't see...

Unfortunately, I didn't find a way to prevent this so far, neither with PHP methods directly, or into Fat Free Framework.. How could this be done?

CodePudding user response:

This could be done with some .htaccess magic where any access to your .htm[l] files are sent a 404, but the proper way to do this is to actually get them out of your public directory. Like you just pointed out, it's a security risk to have those unrendered files there. Usually an app is setup like the following:

app/
   config/
   controllers/
   ui/
   mappers/
   etc...
public/
   index.php (where your fat free index file is that defines your autoloads, config, etc)
vendor/
   (composer stuff)

If I were in your shoes, I would move your /ui/ files to a folder outside the public folder and then just change the UI hive variable to point to something like __DIR__.'/../app/ui/' instead which ultimately would solve your problem.

Also, I hope your config file isn't in the public folder! That shouldn't there either (or committed in your code repository!)

  • Related