Protecting config file of web hosting

Question

I have recently done security audit of my website coded in php. Security audit report has suggested not save hard-coded credentials in config file on web hosting.

How can i store it at some other place for protecting it

Answer 1

Determine what your case. Many way to protect the configurations files, depending of your requirements.

But - NO SYSTEM IS SAFE

When you have custom code ( eg: not to use such a full framework ) that you created custom config files. You could include outside of your public directory on web hosting panel / public root directory.

Depending on shared hosting use apache (based) as their web server, you could use .htaccess to set important environment, for example:

<IfModule mod_env.c>
SetEnv APP_ENVIRONMENT production
SetEnv DB_NAME database_name
SetEnv DB_PASS database_password
</IfModule>

And the other one is, make your files hidden and disable access / forbid the dot file, eg:

.config.php
.configuration.php
.any-file-name-here.php

and disable access to all hidden files on htaccess file.

# Deny access to hidden files - files that start with a dot (.)
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>

Back to It depends on your needs. Configuration files can be safe as long as you do your best to keep your code as bug-free as possible.