Gitify : improve the _backup/ and _data/ directories security

By the Gitify works on my production server, and by default, the _backup/ directory is accessible by anyone.
Of course, a curious visitor can’t browse the directory (Error 403) but the files could be accessible with the full URL such as https://mydomain.tld/_backup/2019-06-22T100636+0200.sql

Maybe a simple .htaccess with a deny from all in this directory could be a good idea, or move the _backup/ directory outside the /htdocs directory…

And I don’t know if there are sensible informations inside _data directory (credential, user account…), but improve the security for this directory too could be important.

What do you thing ?

Yes you should lock down those directories, absolutely.

These are good thoughts @Spheerys, that’s why I (and probably most Gitify users) moved the 3 directories (_backup/_data/_keys) outside the public-root.

My MODX project (whis is also a .git-repository) looks like this:


  • /
    :: Root / Configuration Files / Scripts
  • /_backup
    :: Gitify Backup Directory
  • /_data
    :: Gitify Object Directory
  • /_keys
    :: Gitify Keys Directory
  • /server (local modx-dev-server)
    :: Directory for MODX Local Development Server
  • /www
    :: Webroot / MODX Directory (only necessary files should get versioned/transferred)

Then inside your Gitify-config you just point a directory up ../ to the new private folders.
If you scaffold your projects also like this, you shouldn’t have any public access left :+1:

1 Like

It’s also fairly simple to use htaccess rewrites to block access to directories that start with a dot or underscore, or specific directories/files:

RewriteRule ^(\.|_build|_data|config\.core\.php) /index.php?q=wordpress-is-awesome [L]

Giving it a q parameter of a non-existent resource will make it show the MODX 404 page, giving no indication that the file/directory exists.

1 Like