Security: Should I move vendor dir and composer.json outside of document root?

Question

1. Just started working with composer.

2. Installed some stuff with composer into my <documentroot>/vendor/ dir.

3. Now, everybody (every hacker) can read my composer.json at http://foo.tld/composer.json

4. Then they know, which software is installed. Then they may probe my <documentroot>/vendor/ dir with URLs like http://foo.tld/vendor/symfony/.

What should I do?

a) I could:

• chmod 0600 composer.json
• put a .htaccess into the vendor dir, to deny all access

b) Move the vendor dir outside the document root (which is not always possible in shared hosting environments.

Answer 1

You should hide this files from prying eyes.

Just organise files correctly. For example following structure:

proj
|-- app
|   |-- bootstrap.php
|   +-- functions.php
|-- composer.json
|-- composer.lock
|-- public
|   |-- index.php
|   |-- css
|   |-- images
|   +-- scripts
+-- vendors
     |-- package1 
     +-- package2

• Put all your logic into app (also can be src, lib etc)
• Put all assets in public directory (also can be www, webroot etc)
• Put simple index.php in public where include your application bootstrap file from ../app like require dirname(__DIR__) . '/app/bootstrap.php';
• Hide all the rest from public
  • set webserver to serve files from /path/to/proj/public
  • or, in case of shared hosting, secure root dir with .htaccess file:

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule    ^$    webroot/    [L]
    RewriteRule    (.*) webroot/$1    [L]
</IfModule>

Please note: if you're using framework, especially MVC — it will be better to follow recommended by framework structure.

Answer 2

You mention Symfony in your example link. If you're using Symfony, if your project is in .../project, then your document root is .../project/web and that's what you tell Apache or the server you're using to use. Everything else is your "app" (let's call it that) and it doesn't need to be provided to the public.

Answer 3

You should move it out of DOCUMENT_ROOT.

The usual structure of a framework application is that the top level directory (containing stuff and also the composer.json file) is NOT the DOCUMENT_ROOT. There usualls is a dedicated directory for this, maybe named "public" or "htdocs" inside that contains all the usual assets (CSS, JS, pics) next to "the" central index.php file.

If you can't get that layout with a shared hosting, you probably should move on, because you cannot hide files from direct HTTP access there.