Source files accessible via web


I’ve been playing around with bedrock and sage as a base for a new WordPress project. While hooking up the sage build steps to the capistrano deployment I realized that the structure of sage will leave the source files accessible on the web server.

I tried this out with several sites built with sage/bedrock, e.g.

At least it seems dotfiles like .travis.yml are forbidden. On other pages I was able to open them as well, tough.

Not having worked much with frontend stacks based on gulp/grunt etc. Is this something I should be concerned about or is this perfectly normal?

1 Like

You can definitely safely restrict access to the assets folder. The dist folder is the only thing that needs to be there. You can treat the dist folder like a binary.

Restrict access via:

  • Unix permissions (not world readable)

  • Some sort of server config.

  • Delete the folder as a part of your deploy step