This week I had some problems and suddenly the .htaccess file became downloadable and readable by webusers.
After changing things back to normal I noticed that the main .htaccess file in the root of drupal has a filesmatch but one of the most important files: settings.php is not in the list.
Should we change this to the following so it the risc will be less?:

# Protect files and directories from prying eyes.

Order allow,deny

Comments

drumm’s picture

drumm
he/him
Location NY, US
commented
Status: Active » Closed (won't fix)

Directly requesting settings.php will be interpreted as a PHP file. Since settings.php does not actually do anything on its own, the user would get a blank page.

laurenwestenberg’s picture

laurenwestenberg commented

ofcourse, but I think this is not logic. People should get an unforbidden. Also I had a problem that I could download the whole file and open it and watch the password.
With the settings.php in the .htaccess list this wouldn't be possible, I think this would improve security, even if it is only with 0,1%