Ages and ages ago when I started coding for the web, I read somewhere that it was more secure to keep the file containing your password and sensitive variables outside of the public web root. I’ve always taken this as law, and I’ve jumped through all kinds of hoops to structure my sites and framework in this manner.

But is it necessary? I’d love your thoughts on the matter.

For Dreamweaver users, this is important for two reasons: 1) the Connections folder is placed automatically in your site definition’s file root, and 2) Dreamweaver freaks out and breaks in all kinds of new and interesting ways when the file root and the public web root are not the same.

If I’m jumping through all of these hoops unnecessarily, I’d like to do something about it and stop banging my head against a wall.

To clarify what I mean, let’s take a linux install where the home directory is “/var/www”, and the public web is served from “/var/www/html”. In this case, you’d set the Dreamweaver file root to “/var/www”. Thus, the Connections folder is kept outside the public web root. In theory, there’s no way this folder could be hacked through human/webmin error (forgetting to turn off apache indexing, for instance), or through some other means.

So my question to you, my loyal readers, is whether this is necessary. What are the implications to keeping the Connections folder inside the public web root? Do you consider this to be dangerous, or am I worrying unnecessarily?

Thoughts? Discuss.

Tags: dreamweaver, security, site root, web root

This entry was posted on Saturday, November 24th, 2007 at 7:04 am and is filed under Opinion, Recommendations . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.