Secure the server: prevent the users from browsing/getting files from the conf directories.

With Apache, it is still a must to enable htaccess with the spec "AllowOverride All". The index.php files are here to prevent from browsing whatever the HTTP server config.

.gitignore

@@ -1,9 +1,14 @@
 
 # no slash at the end to handle also symlinks
 /toolkit
-/conf
 /env-*
 
+# listing prevention in conf directory
+/conf/**
+!/conf/.htaccess
+!/conf/index.php
+!/conf/web.config
+
 # composer reserver directory, from sources, populate/update using "composer install"
 vendor/*
 test/vendor/*

conf/.htaccess

@@ -0,0 +1,13 @@
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *

conf/index.php

@@ -0,0 +1,2 @@
+<?php
+echo 'Access denied';

conf/web.config

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+  <system.web>
+          <authorization>
+                  <deny users="*" /> <!-- Denies all users -->
+          </authorization>
+  </system.web>
+</configuration>