I am using an API that requires a file with customer data as a parameter (customer name, postcode, town..). I have the idea to store the file in var folder because the server has write access to it. However, I'd like to understand fully the risk for these data to be compromised.
Asked
Active
Viewed 122 times
1 Answers
1
It's a good practice store sensitive data outside apache (webserver) document root.
It depends on how your server is setup. The var folder should not be accessible to the web, BUT you should always (in my opinion) store sensitive data below the root of the website. I would not do it.
A good option to look into is open_basedir. You will find this info on the web or stackexchange.
Brad
- 173
- 1
- 12
-
Many thanks for your time, I have indeed read about open_basedir further to your recommendations. I have now additional wonders as some hosts may or may not have open_basedir enabled; Overall I see the possible issues with the var folder and that was my question indeed. It strikes me it is dangerous only if the permissions on the site are not correctly setup and I may not choose at this time to use this option though. – Herve Tribouilloy Oct 12 '15 at 15:56
-
One other reason why to put it below the root is if someone hacks your website disabled php, deletes your index.php or something els (depending on configuration) they can see your folder structure and browse around. – Brad Oct 12 '15 at 20:24