Unfortunately I must use Typo3 at work, I know stupid idea, and they store the whole application in the web servers document root, so everything is public by default.
Well, then you configured it to do so.
The application is stored in public, but has htaccess rules to prevent any access to them. It is possible to do some access protection checks within the “Install Tool“, which may also re-generate some of those htaccess files for you, in case they are missing.
The vendor folder and .env file are supposed to be saved outside of the document root. TYPO3 encourages this and gives a pretty clear example on how accomplish this using Composer. See composer.typo3.org/ (“extra“ section in the composer.json example file).
In cases when you have a webpackage without access above document root, then you might need to store these files in the document root. Same conditions apply to all other PHP frameworks, like Symfony etc. However, even then TYPO3 denies any access to these files, using htaccess rules yet again. See github.com/TYPO3/TYPO3.CMS/blob/ma... (line 292, deny access to dot files).
There's an extension to use a .env file for the configuration, but this extension also want this file in the root of the public folder. That's a very high security risk.
It is true, that a .env file in a public folder with public access would be a very large security risk. So please don't do this. Instead move it outside of the public folder or use other security measurements provided by TYPO3 instead.
I know that the Typo3 developers are not following modern development or design rules and uses a lot of old coding styles, but I'll try an issue for this.
Argumentum ad ignorantiam.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Well, then you configured it to do so.
The application is stored in public, but has
htaccess
rules to prevent any access to them. It is possible to do some access protection checks within the “Install Tool“, which may also re-generate some of those htaccess files for you, in case they are missing.The
vendor
folder and.env
file are supposed to be saved outside of the document root. TYPO3 encourages this and gives a pretty clear example on how accomplish this using Composer. See composer.typo3.org/ (“extra“ section in thecomposer.json
example file).In cases when you have a webpackage without access above document root, then you might need to store these files in the document root. Same conditions apply to all other PHP frameworks, like Symfony etc. However, even then TYPO3 denies any access to these files, using
htaccess
rules yet again. Seegithub.com/TYPO3/TYPO3.CMS/blob/ma... (line 292, deny access to dot files).
It is true, that a
.env
file in a public folder with public access would be a very large security risk. So please don't do this. Instead move it outside of the public folder or use other security measurements provided by TYPO3 instead.Argumentum ad ignorantiam.