Apache .htaccess Security

Sounds like the functionality we see configured in e.g. .htaccess files.

There are quite a few examples in there of “the bad guy” trying to find files (like .env) that are accidentally left somewhere. From my PHP days I remember that indeed Apache/PHP just serves up any file from anywhere as a static file if it isn’t PHP. My memory is pretty vague on this and I don’t remember if this behaviour is configurable but I guess it must be. Having done mostly Ruby on Rails since, it feels so strange now that a web server can be some kind of a file browser into your code

That is an apacheism to avoid serving .htaccess which can include hashed passwords. It's not a general thing.

Don't let web server access app's code, soo many security problems solved...

Are you sure it isn't .ht* that's blocked? That's what the default config is on my system.

TL;DR: Antipattern: pointing web server config to any files based in /home.

HELLO. I FOUND THAT YOUR WEB SERVER HAS DIRECTORY INDEX ENABLED. THIS MAY BE A MAJOR SECURITY INCIDENT.

You could to that in the server level (not the app level); e.g. in the .htaccess file for apache users.

The downloadable distribution of CodeIgniter and many other PHP frameworks have those file and boilerplate to protect badly configured Apache setups where the user just unzips the downloaded distribution into public_html. If you have .php files handled by PHP, or you have the mod rewrite htaccess rules enabled, the PHP files won't be exposed to the user.None of these are necessary if you have properly configured your web server.

Does Apache web server use this trick?