deployment and operations

Static Files And Public Document Roots

Keep The Public Surface Small

Use a narrow public/ or equivalent root.
Serve versioned static assets efficiently.
Route dynamic requests through the front controller.

Request Files That Must Fail

Try requesting private filenames.
Verify static cache headers.
Verify private uploads require application authorisation.

Treat Uploads Separately

Repository-root serving exposes sensitive files.
Public upload directories can execute or expose untrusted content.
Missing asset versioning causes stale frontend files.

Public Root Sketch

public/
  index.php
  build/app.8f3a91c.css
  build/app.23d01aa.js

outside public/
  src/
  config/
  var/log/
  storage/private/

Private uploads should be stored outside the web root and served through application authorisation or a controlled storage mechanism. Public uploads still need safe naming and content handling; placing untrusted files beneath a web root can create exposure or execution risks.

Practice

Practice: Audit Public Paths

Audit a deployment layout for a web app with private invoice uploads. List the paths that should respond directly and the paths that must fail when requested by URL.

Requirements

Use a narrow public/ or equivalent root.
Serve versioned static assets efficiently.
Route dynamic requests through the front controller.
Try requesting private filenames.
Verify static cache headers.
Verify private uploads require application authorisation.

Show solution

Expose the front controller and versioned public assets beneath public/. Keep source code, environment files, Composer metadata, logs, caches, and private uploads outside that directory.

Request representative private paths through HTTP and confirm that they fail. Verify asset cache headers separately. An invoice download should pass through an authorised application route or a controlled storage URL rather than a guessable public path.