Security Announcement
Understand how to secure your PHP web projects by moving public files into a dedicated subdirectory and setting the server's document root accordingly. This lesson helps you prevent accidental exposure of sensitive project files by properly organizing directories and configuring the PHP built-in server. By the end, you'll know how to keep private data inaccessible via browsers while serving only intended public resources.
We'll cover the following...
Project root should not be the document root
“Document root” means that any file inside this directory can be accessed from the browser. It’s normally not a good idea to let your project directory be the document root because there will always be files in your project that shouldn’t be publicly accessible.
Let’s create a new file called secret.txt in our project directory.
Copy the following text into the new secret.txt file:
MySeCrEtPaSsWoRd
If you go to http://APPLINK/secret.txt, you will see the secret password on the screen.
Note: You don’t have to go anywhere and open any URL. We have set things up for your convenience. We have used
http://APPLINKjust as a placeholder. The actual URL link on which the application will be available after running the code is located below the Run button of all the coding areas given in a lesson. Keep in mind that the link won’t work until the execution of the code is complete.
You simply need to press the Run button and see how it works.
<!DOCTYPE html> <html lang="en"> <head> <title>Index</title> </head> <body> <h1>This is the index</h1> </body> </html>
Now imagine if this was the password to your database or your email account. Nobody should be able to see that!
Creating a public directory
Let’s fix this by moving everything that should be accessible from a browser to a new subdirectory inside the project.
Traditionally, such a directory is called public to indicate that only the files in this directory will be exposed.
- Create a
publicdirectory inside your project directory. - Move
index.htmlandfavicon.icoto this directory.
Restarting the server
Now we need to tell the PHP server that it should use public/ as the document root.
Go to the terminal and stop the server by pressing Ctrl and C together.
We’re going to use the -t option now to explicitly set the document root:
php -S localhost:8000 -t public/Let’s quickly verify that it works:
- When you go to
http://APPLINK/, you should see: “This is the homepage”. - When you go to
http://APPLINK/secret.txt, you should see: “Not Found”.
Let’s run it right away!
We have already set things up for you and executed the command. You just need to press the Run button below and open the webpage in a new tab by clicking the URL link provided below the button. You will see the homepage.
Then, try to access secret.txt through the URL.
<!DOCTYPE html> <html lang="en"> <head> <title>Index</title> </head> <body> <h1>This is the homepage</h1> </body> </html>
You can access any existing webpage by appending its name to the URL.
This is exactly what we want: the homepage is supposed to be a public page.
secret.txt should not be accessible from the browser.