I have recently done security audit of my website coded in php. Security audit report has suggested not save hard-coded credentials in config file on web hosting.
How can i store it at some other place for protecting it
Determine what your case. Many way to protect the configurations files, depending of your requirements.
But - NO SYSTEM IS SAFE
When you have custom code ( eg: not to use such a full framework ) that you created custom config files. You could include outside of your public directory on web hosting panel / public root directory.
Depending on shared hosting use apache (based) as their web server, you could use .htaccess to set important environment, for example:
<IfModule mod_env.c>
SetEnv APP_ENVIRONMENT production
SetEnv DB_NAME database_name
SetEnv DB_PASS database_password
</IfModule>
And the other one is, make your files hidden and disable access / forbid the dot file, eg:
.config.php
.configuration.php
.any-file-name-here.php
and disable access to all hidden files on htaccess file.
# Deny access to hidden files - files that start with a dot (.)
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>
Back to It depends on your needs. Configuration files can be safe as long as you do your best to keep your code as bug-free as possible.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.