Opened 14 years ago
Closed 14 years ago
#13578 closed (wontfix)
Hack to prevent project files (passwords, etc.) from being served by some Apache (RFE)
Reported by: | JonathanHayward | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | 1.1 |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
For http://docs.djangoproject.com/en/dev/intro/tutorial01/#creating-a-project , users are strongly advised to store project files outside the directories served up by a server.
I'm not sure whether this should be advised in the documentation, but for Apache, if AllowOverride is enabled as it often is, a .htaccess file that contains a syntax error will cause an error page to be displayed on attempted access. If such a .htaccess file is included, there is an extra layer of protection. (This could be advised in the documentation or include in startproject).
Jonathan, http://JonathansCorner.com
Thanks for the suggestion, but I think that this is a bit out of scope for Django's tutorial. On the very first page of a tutorial, we don't want to get stuck into the specifics of Apache configuration. Advising people to keep their code out of their Apache root is a basic level of safety, but when people get to deployment for real, we want them to hunt down better sources of information.