Is this secure salt and password above htdocs or www


#1

Well I didn’t find a way to move cakephp above (www, htdocs, etc)
Please refer to Remove cakephp 3.4 from webroot how to

I did however:

  • Made a folder above htdocs (even with apache) named cake34up
  • Put tmp\cache in that folder
  • Put logs there also
  • Created a file to house the salt and db password named salt.php

Now in cakephp (the folder inside htdocs) in the configs I,

include ROOTUP . "salt.php";

in paths

///paths.php


define('DIR', '/cakephp/'); //at bottom
/**
 * Path to the temporary files directory.
 */
define('TMP', ROOTUP . DS . 'tmp' . DS);

/**
 * Path to the logs directory.
 */
define('LOGS', ROOTUP . 'logs' . DS);

/**
 * Path to the cache files directory. It can be shared between hosts in a multi-server setup.
 */
define('CACHE', TMP . 'cache' . DS);
//////do cache also///////////////////////

in index

index.php
define('ROOTUP', realpath(__DIR__ . '/../../../cake34up') . DIRECTORY_SEPARATOR);

in app

app
            'username' => 'root',
            'password' => $password,
            'database' => 'tjhs2',
            'encoding' => 'utf8',
            'timezone' => 'UTC',
            'flags' => [],
            'cacheMetadata' => true,
            'log' => false,

Notice I use $password, which I get from cake34up.

So the secure items are housed in cake34up, please let me know if this is secure. Seems cake is fairly secure anyway, but just some extra precautions.


#2

Subfolder install & security in production? :confused: I don’t really like, ok in test or development environment but not in production. If your needs is use subfolders, you can move stuff above document root, but this, imho, not introduce security improvements.

Instead an important precaution (git based projects) against spreading salt, password… is add

  • config/app.php
  • tmp/*

in .gitignore


#3

@fiblan that was my original question, I cannot see a way to point the public part of an install to a higher folder, see
Remove cakephp 3.4 from webroot how to for original question. Seems older versions you could.


#4

I replied in your original question