Symphony.

I wonder if it’s a good practice to add .htaccess file containing:

Options -Indexes

in /extensions, /workspace and /manifest folders?

If your setup (i.e. virtual server) allow indexes, yes, you are right. Indeed it shouldn’t. So I think that for Symphony it is not a necessity. And it would make installation on a different web server than Apache more difficult.

On the other hand the future plans for Symphony — storing most of your application logic in XML files — will require some special measures anyway. Let’s see how the team solves this.

Later versions I think use .htaccess to block specific file types from /manifest, so the same could be done for the new XML files - I’m sure that would be a standard requirement.

As for indexes, I recommend you disable this globally for Apache across your entire server rather than relying on the CMS to do it; it’s good practice to disable this and just enable it with htaccess in specific directories when you need it.

I currently use this option in all my projects. All of them in Apache, and always worked very well.

Leaving files exposed, in my opinion, is not pretty.

http://getsymphony.com/extensions/

http://getsymphony.com/workspace/

http://getsymphony.com/manifest/

Plus it can provide information for people with bad intentions. eg recognize the extensions used on the site and find out their versions to take advantage of security flaws - in outdated systems…

Most of the servers I work with do not have access to the apache configuration directly (I need to research more about this). Then need to insert Options -Indexes in the main CMS .htaccess anyway, right?

Do not know how this will be in Symphony file-based version…

If you don’t have access to the configuration and the provider enabled Indexes, you should definitely change your provider. Indexes should never be enabled by default.

I see, thanks for the explanation. I’ll check about this with the server.