Affect on security of Laravel 5 when change folder structure to remove public folder

Question

I'm new in Laravel 5.

I found this Laravel 5 - Remove public from URL on Stack Overflow to remove public folder from my Laravel 5 App. Only I have a question about the security.

When I am removing public from URL, then I have to change the basic folder structure of Laravel 5. Yes, it's working fine without the public from the URL.

But what's about the security of Laravel, because I am changing the default folder structure? Is it secure to use?

Answer 1

You should be pointing your Apache host root to the $LARAVEL_PATH/public directory instead of $LARAVEL_PATH.

The point of having sub directory for www host root instead of project root is that you're not leaking any of your project files through your web server.

Even though all the PHP files have the file suffix .php, malicious user can access your $LARAVEL_PATH/storagedirectory and its subdirectory contents, read your composer.json or package.json to find vulnerable dependencies or read .env file etc.

If you're running on shared hosting and you have mandatory public_html, try installing Laravel outside of that public_html directory and either removing public_html (if empty) and replace it with symlink to $LARAVEL_PATH/public OR if you want the Laravel instance to be subdirectory ofpublic_html, do the same but create symlink from$LARAVEL_PATH/publictopublic_html/$PROJECT_SUBDIR`.

That public directory is there for reason to make project a bit more secure. Solve the actual problem and don't try to break this simple but nice security addition. :)