Safe general config file for webapp

Question

I would like to keep all config options for a webapp in one file. (pathes, passwords, options which are read by php, sass (during compilation), maybe grunt,..)

I like the JSON format since its very clear and almost anything can parse json. But by default .json files can be downloaded.

Can I safely prevent that by giving the file a .json.php extension?

What are the drawbacks? Better Approaches?

Answer 1

To prevent the file being downloaded, generally the way to go is to store it in a directory that is not served by the web server. I don't know what setup you're in, but assuming an Apache setup, if for example your .php files are served from a directory /home/user/htdocs , you could create a directory /home/user/config , ensure that it is readable by the webserver, and store the .json files there.

Another approach, again assuming Apache, would be to create an .htaccess file containing the following (inspired by this answer ):

RedirectMatch 404 \.json$ 

This would not only prevent downloading any and all .json files in the directory, but hide their very existence.

It might just be possible to do it the way you suggested, by storing the file with a .json.php extension, although this would not be a recommended approach. For this to work, the file has to be valid PHP but it must obviously be valid JSON as well and we are hampered somewhat by the fact that JSON does not allow comments. Something like the following would stop the PHP interpreter soon after the start of the file, before spilling your secrets:

{
  "<?php exit('Access denied'); ?>": null,
  "password": "secret"
}