Best way to block static files when using Bedrock

I’m wondering what’s the best way to block acces to files which shouldn’t be public such as :

  • .env
  • config (directory)
  • composer.json
  • composer.lock
  • Gemfile
  • etc.

I could write something in my Capistrano recipe to manually delete the unnecessary files after the composer update task and automatically output the necessary .htaccess rules to block the .env and other config files…

But I assume that this logic is needed by anybody using Bedrock, so It must already be in there somewhere. Isn’t it?

If you are using a recent version of Bedrock, everything public is in the “web” directory. Thus, any files like the composer files and .env files are not publicly accessible. Problem solved.

Yep, that did the trick.