Thanks for link but the guide only blocks certain files, I might be able to adjust the configuration to block access to the vendor folder. However if the default deployment of Sage allows access to the vendor folder I can’t use the project in it’s current form. It’s too much of a security risk.