Are there any server-level protections that are recommended for Self-Hosted installs?
Using WordPress as an easy example, it is strongly recommended to deny access to /wp-admin and wp-login.php for your standard, everyday WordPress install… I’m playing with Invoice Ninja for the first time and have everything working as prescribed, and just want to make sure I’m limiting any exposure to the public that does not need to be there (meaning, our sales people are all sitting in the same building where they site is being self-hosted - but still want to maintain the client portal).
Thank you for the wonderful gem that is Invoice Ninja!
Biggest one I can think of applies to pretty much any Laravel application. That is, make sure that DocumentRoot points to
/<YourInvoiceNinjaPath>/public rather than
/<YourInvoiceNinjaPath (if you can access the site via
http://your.url alone, then you should be okay).
If you don’t set it up this way, then that leaves your .env file open to anyone who knows the address, and they can simply go to
http://your.url/.env and see all of your credentials. You’d be surprised just how many Laravel applications are live with this exact configuration flaw.
I agree the best setup is to map your root to /public however if you don’t the .htaccess file should prevent the .env file from being viewable.
Alrighty, that was the confirmation I was looking for then! Indeed I’ve got the document root pointing to /public and just wanted to make sure. Thank you again guys!