Jump to content

Recommended Posts

Hi guys, I have a few questions regarding a few common practices when dealing with CMSes:

1- How can I install ProcessWire above the root for better security?

2- How can I change the default folder for uploading images? For example, I'd like to create a folder /uploads in the root and have all my uploaded images in there. And can I have multiple folders or just one folder for all images?

3- Is it possible to have site assets (css, js etc) stored in a folder /assets in the root?

If you have other common practices or security tips etc and you'd like to share, please do. ;)

Share this post


Link to post
Share on other sites

I don't think that would be an easy task but you can rest assured that Ryan took very good measures to keep the PW folders as secure as they can be.

Share this post


Link to post
Share on other sites

"3- Is it possible to have site assets (css, js etc) stored in a folder /assets in the root?"

Yes, I prefer to do that. you just link to the files accordingly.

You don't HAVE TO keep them in the "/site/" folder.

Share this post


Link to post
Share on other sites

Regarding moving assets (as in static site files, JS and images etc.) outside /site/:

Keeping everything "site-specific" within /site/ can make upgrading ProcessWire slightly easier and enables you to move all site-specific files to another server / PW installation etc. without needing to wonder which files were / are part of PW and which belong to this specific site.

This is also how (and why) modules such as Site Profile Exporter work; they simply copy (most) content of /site/ folder and leave everything else intact.

So, short answer is "yes, you can do it." But that doesn't necessarily mean that you should do it :)

  • Like 4

Share this post


Link to post
Share on other sites
1- How can I install ProcessWire above the root for better security?

You can move your /wire/ dir wherever you want and use symlinks. However, I don't think this would do anything for security. The benefit of doing it would be just if you want to share the same /wire/ dir amont multiple installs. I think that some CMS products are prone to vulnerable files and so you want to move them out of web root. ProcessWire is not one of those products and your .htaccess file protects several directories from web access. 

2- How can I change the default folder for uploading images? For example, I'd like to create a folder /uploads in the root and have all my uploaded images in there. And can I have multiple folders or just one folder for all images?

You can try modifying PW's /index.php file to choose a different $config->assets dir. But I don't recommend it, as I've not tested it. 

3- Is it possible to have site assets (css, js etc) stored in a folder /assets in the root?

Yes, you can store these assets wherever you want. ProcessWire doesn't actually link to them, only you do, in your template files. As a result, it doesn't matter where you put them. 

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Guy Incognito
      What's the best process for adding another user with TfaTotp 2FA? Just using it for the first time.
      Should I supply them with them with the secret when I first create their account? Seems like a security risk?
      Otherwise how do I create a 2FA user and let them login for the first time?
    • By horst
      Hi, on a site I want to disable access to original images and only allow to access thumbnails and watermarked image variations.
      EDIT:
      A good solution for protecting original images can be found a bit down in this thread:
       
      Old content of this initial post:
       
    • By Chris Bennett
      Plenty of posts on the forum relating to Content Security Policy (CSP) and how to integrate it with Processwire.
      It's not too hard to implement a decent htaccess CSP that will get you a solid B+ at Mozilla Observatory.
      If you're after A+ it's a little harder because of all the back-end stuff... until you realize it's surprisingly easy.
      After a lot of testing, the easiest way I found was to specify only what is needed in the htaccess and then add your required CSP as a meta in your page template.
      Plenty of people have suggested similar. Works very easily for back-end vs front-end, but gets complicated if you want front page editing.
      Luckily, a little php will preserve back-end and front page editing capabilities while allowing you to lock down the site for anyone not logged in. 
      None of this is rocket science, but CSPs are a bit of a pain the rear, so the easier the better, I reckon 😉
      The only CSP I'd suggest you include in your site htaccess is:
      Header set Content-Security-Policy "frame-ancestors 'self'" The reason for this is you can't set "frame-ancestors" via meta tags.
      In addition, you can only make your CSP more restrictive using meta tags, not less, so leaving the back-end free is a solid plan to avoid frustration.
      Then in your public front-facing page template/s, add your desired Content Security Policy as a meta tag.
      Please note: your CSP should be the first meta tag after your <head>.

      For example:
       
      <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Security-Policy" content="Your CSP goes here"> <!-- followed by whatever your normal meta tags are --> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> If you haven't got Front Page Editing enabled, this works fine by itself.
      Just one extra step is needed to make sure you don't have to worry either way. 
      The easiest way I found to allow both CSP and front page editing capabilities is the addition of a little php, according to whatever your needs are.
      Basically, if the user is a guest, throw in your CSP, if they're not do nothing.
      It's so simple I could have kicked myself when it finally dawned on me.
      I wish it had clicked for me earlier in my testing, but it didn't so I'm here to try to save some other person a little time.
      Example:
      <!DOCTYPE html> <html> <head> <?php if ($user->isGuest()): ?> <meta http-equiv="Content-Security-Policy" content="Your CSP goes here"> <?php endif; ?> <!-- followed by whatever your normal meta tags are --> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no">  
      If you want it a bit more involved then you can add additional tests and be as specific as you like about what pages should get which CSP.
      For example, the following is what I use to expand the scope of the CSP only for my "map" page:
      <?php $loadMap = $page->name === "map"; ?> <!DOCTYPE html> <html> <head> <?php if ($user->isGuest()): ?> <meta http-equiv="Content-Security-Policy" content="default-src 'none'; base-uri 'self'; manifest-src 'self'; form-action 'self'; font-src 'self' data: https://fonts.gstatic.com; frame-src 'self' https://www.youtube.com; img-src 'self' data:<?php echo ($loadMap) ? " https://maps.googleapis.com https://maps.gstatic.com" : ""; ?> https://www.google-analytics.com; script-src 'self' <?php echo ($loadMap) ? "https://maps.googleapis.com " : ""; ?>https://www.google-analytics.com https://www.googletagmanager.com; style-src 'self' <?php echo ($loadMap) ? "'unsafe-inline' https://fonts.googleapis.com" : ""; ?>"> <?php endif; ?>  Hope this saves someone a little time testing.
      https://observatory.mozilla.org/analyze/bene.net.au
    • By VeiJari
      Hello forum, this is my first security related post, so I'm a bit of a newbie.
      I understand that when I have direct front-input from user I should sanitize the input, but how about when I use a secret key for showing a API for a third-party supplier? Should I sanitize the input->get() key?
      I've tested this issue and I tried ?key=<?php echo $page->field; ?> And without adding any sanitization it comes back: /?key=<?php%20echo%20$page->field;%20?>
      So can I rely on this, or should I still use $sanitizer just in case?
       
      Thanks for the help!
    • By anttila
      We have many booking calendars made with ProcessWire (own databases) and I want to do a web app (SQL) which allows user to log in. First, the user chooses the right calendar and then (s)he have to log in. The user can be from any of those calendars and the app is not running on ProcessWire (it can if necessary). So if there any way to make sure that the user has rights to the calendar (s)he tries to log in and if the password is correct.
      Is there any better way to do this? I could also use PIN codes or something, but those need to be encrypted too.
      Multiple ProcessWires A lot of users per ProcessWire Everyone can log in to the web app (when using right calendar)
×
×
  • Create New...