« Atlassian JIRA and URL rewriting | Main | Reverse Proxying Confluence and JIRA »

Learning from others mistakes - move configs out of your boot loader

I'm a keen believer of learning from other folks mistakes and attempting to not repeat them. Source code disclosure and even worse configuration disclosure which happened with tumblr. One thing to remember, if you keep your configuration for your app outside your webroot, you reduce the chances of you actually accidentally disclosing your configuration. Typically one could even do something like:


<?php
require_once dirname(dirname(__FILE__)) . '/bootstrap.php';


Rather than having everything in your index.php file. Separating your configuration directives out to a separate configuration file outside the webroot and modifying that when making changes.

One can use your version control pre commit scripts to check that you've not borked a the file - checking for php scripts being of a file type php script vs file is one way of doing this - foo.php contains a php script starting with "i?php" and bar.php has same code starting with "

$ file foo.php 
foo.php: PHP script text
$ file bar.php 
bar.php: ASCII text


TrackBack

TrackBack URL for this entry:
http://www.powertrip.co.za/blog/mt-tb.cgi/635

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Afrigator