Protect the codebase by denying direct access and executing of php scripts in /include/php

README.md

@@ -36,7 +36,13 @@ server {
     }
 
     location /webmum {
-            try_files $uri $uri/ /webmum/index.php?$args;
+        try_files $uri $uri/ /webmum/index.php?$args;
+    }
+
+    # protect the codebase by denying direct access
+    location ^~ /webmum/include/php {
+        deny all;
+        return 403;
     }
 }
 ```
@@ -59,7 +65,13 @@ server {
     }
 
     location / {
-            try_files $uri $uri/ /index.php?$args;
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    # protect the codebase by denying direct access
+    location ^~ /include/php {
+        deny all;
+        return 403;
     }
 }
 ```
@@ -104,6 +116,10 @@ Without subdirectory in URL (e.g. `http://webmum.mydomain.tld/`):
 </VirtualHost>
 ```
 
+Access to the codebase is denied with a `.htaccess` file under ^/include/php^.
+
+
+
 ## WebMUM Configuration
 
 Configure WebMUM via the configuration file at `config/config.inc.php`.

include/php/.htaccess

@@ -0,0 +1 @@
+Deny from all