I'm wondering if there is any good way to prevent direct access to html files in Fat Free Framework...
So the intended way would be to call a route like /login. However, with the default configuration, users could also access /ui/login.html and get the html file directly, eventually displaying {{@variable}}
content, which users shouldn't see...
Unfortunately, I didn't find a way to prevent this so far, neither with PHP methods directly, or into Fat Free Framework.. How could this be done?
CodePudding user response:
This could be done with some .htaccess magic where any access to your .htm[l] files are sent a 404, but the proper way to do this is to actually get them out of your public directory. Like you just pointed out, it's a security risk to have those unrendered files there. Usually an app is setup like the following:
app/
config/
controllers/
ui/
mappers/
etc...
public/
index.php (where your fat free index file is that defines your autoloads, config, etc)
vendor/
(composer stuff)
If I were in your shoes, I would move your /ui/ files to a folder outside the public folder and then just change the UI
hive variable to point to something like __DIR__.'/../app/ui/'
instead which ultimately would solve your problem.
Also, I hope your config file isn't in the public folder! That shouldn't there either (or committed in your code repository!)