giter you could protect the admin files using a password at the webserver level. That would be the easiest, but not very convenient for administrators. Or protect by IP range if you know you will always access the admin from a fixed IP.

Some big companies using Flarum must have developed their own "locked down" version of Flarum that automatically prevents accessing files the current user doesn't need, but I have no insights into that. I just know their admin files are not visible in the Lab.

Some forums use further javascript minification (some intentionally, some it's their host/proxy doing it automatically) which limits what the Lab can do with the data. But everything's still there for someone who wants to put in the effort.

Minifying the javascript for the purpose of hiding which features are available isn't very effective since the list of extension IDs are present in the Flarum JSON boot payload anyway.

Can I ask what you're trying to make invisible on the forum? Many things can be seen straight away from the development tools as you say, and most of the things could be "guessed" by a skilled person anyway.

If your forum is fully private, and only accessible to invited users, I can understand you might want to hide the full extension bundle for guests. This could probably be achieved using a Flarum extension, where guests would see a "light" version of Flarum with just core features to allow login, and where the full bundle is downloaded for logged in users only. The extension would need to make the name of the javascript file either unguessable, or actually implement some access control on that route instead of leaving nginx/apache serve the file.

    10 days later

    Ralkage What needs to be done to prevent access? Personally I've never noticed, but it turns out that none of my installations can access composer.json and I don't remember doing anything specific for that.

        clarkwinkelmann Of course! I hadn't thought about it, it's too obvious that I'm like a zombie when installing... 😅

          Justoverclock if you are using Apache, check that htaccess files and mod rewrite are enabled.

          If you are using Nginx, there are commented lines in the included nginx config. If you're using a different webserver, you need to write your own blacklist.

              clarkwinkelmann i have sitegroud (supposed to be Apache as web server and Nginx as reverse proxy). i have uncommended line on nginx config and uncommented line on htaccess....

                  thats my htaccess:

                  <IfModule mod_rewrite.c>
  RewriteEngine on

  # Ensure the Authorization HTTP header is available to PHP
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

  # Uncomment the following lines if you are not using a `public` directory
  # to prevent sensitive resources from being exposed.
 RewriteRule /\.git / [F,L]
 RewriteRule ^auth\.json$ / [F,L]
 RewriteRule ^composer\.(lock|json)$ / [F,L]
 RewriteRule ^config.php$ / [F,L]
 RewriteRule ^flarum$ / [F,L]
 RewriteRule ^storage/(.*)?$ / [F,L]
 RewriteRule ^vendor/(.*)?$ / [F,L]

  # Pass requests that don't refer directly to files in the filesystem to index.php
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^ index.php [QSA,L]
</IfModule>

# Disable directory listings
Options -Indexes

# MultiViews can mess up our rewriting scheme
Options -MultiViews

# The following directives are based on best practices from H5BP Apache Server Configs
# https://github.com/h5bp/server-configs-apache

# Expire rules for static content
<IfModule mod_expires.c>
  ExpiresActive on
  ExpiresDefault                                      "access plus 1 month"
  ExpiresByType text/css                              "access plus 1 year"
  ExpiresByType application/atom+xml                  "access plus 1 hour"
  ExpiresByType application/rdf+xml                   "access plus 1 hour"
  ExpiresByType application/rss+xml                   "access plus 1 hour"
  ExpiresByType application/json                      "access plus 0 seconds"
  ExpiresByType application/ld+json                   "access plus 0 seconds"
  ExpiresByType application/schema+json               "access plus 0 seconds"
  ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
  ExpiresByType application/vnd.api+json              "access plus 0 seconds"
  ExpiresByType application/xml                       "access plus 0 seconds"
  ExpiresByType text/calendar                         "access plus 0 seconds"
  ExpiresByType text/xml                              "access plus 0 seconds"
  ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
  ExpiresByType image/x-icon                          "access plus 1 week"
  ExpiresByType text/html                             "access plus 0 seconds"
  ExpiresByType application/javascript                "access plus 1 year"
  ExpiresByType application/x-javascript              "access plus 1 year"
  ExpiresByType text/javascript                       "access plus 1 year"
  ExpiresByType application/manifest+json             "access plus 1 week"
  ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
  ExpiresByType text/cache-manifest                   "access plus 0 seconds"
  ExpiresByType text/markdown                         "access plus 0 seconds"
  ExpiresByType audio/ogg                             "access plus 1 month"
  ExpiresByType image/bmp                             "access plus 1 month"
  ExpiresByType image/gif                             "access plus 1 month"
  ExpiresByType image/jpeg                            "access plus 1 month"
  ExpiresByType image/png                             "access plus 1 month"
  ExpiresByType image/svg+xml                         "access plus 1 month"
  ExpiresByType image/webp                            "access plus 1 month"
  ExpiresByType video/mp4                             "access plus 1 month"
  ExpiresByType video/ogg                             "access plus 1 month"
  ExpiresByType video/webm                            "access plus 1 month"
  ExpiresByType application/wasm                      "access plus 1 year"
  ExpiresByType font/collection                       "access plus 1 month"
  ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
  ExpiresByType font/eot                              "access plus 1 month"
  ExpiresByType font/opentype                         "access plus 1 month"
  ExpiresByType font/otf                              "access plus 1 month"
  ExpiresByType application/x-font-ttf                "access plus 1 month"
  ExpiresByType font/ttf                              "access plus 1 month"
  ExpiresByType application/font-woff                 "access plus 1 month"
  ExpiresByType application/x-font-woff               "access plus 1 month"
  ExpiresByType font/woff                             "access plus 1 month"
  ExpiresByType application/font-woff2                "access plus 1 month"
  ExpiresByType font/woff2                            "access plus 1 month"
  ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
</IfModule>

# Gzip compression
<IfModule mod_deflate.c>
  <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE "application/atom+xml" \
                                  "application/javascript" \
                                  "application/json" \
                                  "application/ld+json" \
                                  "application/manifest+json" \
                                  "application/rdf+xml" \
                                  "application/rss+xml" \
                                  "application/schema+json" \
                                  "application/vnd.geo+json" \
                                  "application/vnd.ms-fontobject" \
                                  "application/wasm" \
                                  "application/x-font-ttf" \
                                  "application/x-javascript" \
                                  "application/x-web-app-manifest+json" \
                                  "application/xhtml+xml" \
                                  "application/xml" \
                                  "font/collection" \
                                  "font/eot" \
                                  "font/opentype" \
                                  "font/otf" \
                                  "font/ttf" \
                                  "image/bmp" \
                                  "image/svg+xml" \
                                  "image/vnd.microsoft.icon" \
                                  "image/x-icon" \
                                  "text/cache-manifest" \
                                  "text/calendar" \
                                  "text/css" \
                                  "text/html" \
                                  "text/javascript" \
                                  "text/plain" \
                                  "text/markdown" \
                                  "text/vcard" \
                                  "text/vnd.rim.location.xloc" \
                                  "text/vtt" \
                                  "text/x-component" \
                                  "text/x-cross-domain-policy" \
                                  "text/xml"
    </IfModule>
</IfModule>

# Fix for https://httpoxy.org vulnerability
<IfModule mod_headers.c>
  RequestHeader unset Proxy
</IfModule>

                    Justoverclock my unscientific method to troubleshooting htaccess files is to just write garbage in the <IfModule mod_rewrite.c> block. If the website returns a 500 error, it means the htaccess and rewrite mod are working. If the website doesn't crash, it means Apache is ignoring the file.

                      • [deleted]

                      • Post #173

                      Justoverclock I've worked out why the rewrites aren't working. Siteground listens with NGINX, then passes back to Apache for processing. It most cases, the nginx.conf and .htaccess should do all of the work, but they are being IGNORED ! I have proven this by renaming both files, and the site still functioned even after clearing the cache 🤯

                      As a workaround, I have had to configure URL security which seems to work. The grade is now capped at C, but by the time I'm done, it should be at least A

                        Following askvortsov suggestion, I implemented gzip support and reporting to the Lab.

                        This means the Lab will now accept gzip for all requests, which can potentially speed up the scan for websites hosted on slower connections or on the other side of the globe (all requests are made from a DigitalOcean Droplet in Germany).

                        The Lab will also show show whether gzip is supported in the "Assets size" box and how much bandwidth you are saving.

                        If the server doesn't support gzip, a message will appear in the same box with recommendations on how to enable it.

                          12 days later

                          The Lab has been experiencing technical issues these last few days. Not sure why yet, but it's constantly running out of memory. Might be too popular!

                          I'll try to move it to a new server in the coming days, so don't worry if you see it offline for a while. I'm keeping it online for now but if it gets too unstable I'll switch it to maintenance mode.