Is it okay to expose .yml or .install files to public?

by SkyRar   Last Updated November 22, 2018 17:07 PM

As per my knowledge the static files like css/js inside core/modules etc should be read by http server user. So normally I give read permission recursively to http user for directories like core, theme, modules etc. But these directory contains some .yml or .install files e.g drupal/web/core/modules/user/user.install which gets downloaded automatically when someone visits my site example.com/core/modules/user/user.install .

So is it okay to expose those files to public ? and what steps can be taken to avoid it ?

Note: Drupal default .htaccess may take care of these thing but what about other servers like nginx ?

Tags : 8 security


Related Questions



Trying to make my entire site https

Updated April 21, 2015 04:03 AM


Blind SQL Injection. How to solve?

Updated March 19, 2016 08:03 AM

Drupal security ACL

Updated April 14, 2015 02:32 AM