Opened 14 years ago

Closed 14 years ago

#13578 closed (wontfix)

Hack to prevent project files (passwords, etc.) from being served by some Apache (RFE)

Reported by: JonathanHayward Owned by: nobody
Component: Documentation Version: 1.1
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

For http://docs.djangoproject.com/en/dev/intro/tutorial01/#creating-a-project , users are strongly advised to store project files outside the directories served up by a server.

I'm not sure whether this should be advised in the documentation, but for Apache, if AllowOverride is enabled as it often is, a .htaccess file that contains a syntax error will cause an error page to be displayed on attempted access. If such a .htaccess file is included, there is an extra layer of protection. (This could be advised in the documentation or include in startproject).

Jonathan, http://JonathansCorner.com

Change History (1)

comment:1 by Russell Keith-Magee, 14 years ago

Resolution: wontfix
Status: newclosed

Thanks for the suggestion, but I think that this is a bit out of scope for Django's tutorial. On the very first page of a tutorial, we don't want to get stuck into the specifics of Apache configuration. Advising people to keep their code out of their Apache root is a basic level of safety, but when people get to deployment for real, we want them to hunt down better sources of information.

Note: See TracTickets for help on using tickets.
Back to Top