Document that custom multisite vhost webserver config musst apply the same protection as .htaccess

Created on 29 April 2015, about 10 years ago

Updated 12 May 2025, about 13 hours ago

This issue was reported to the Drupal Security team and it was decided to make this public as documentation improvement issue.

Problem/Motivation

In a multi-site setup the files folder of all sites must be protected from PHP execution. Example: public_httpdocs/sites/a.com/files and public_httpdocs/sites/b.com/files must be restricted in every vhost config file (when .htaccess files are ignored).

Proposed resolution

Document that, but where?

Remaining tasks

User interface changes

None.

API changes

None.

📌 Task

Status

Postponed: needs info

Version

11.0 🔥

Component

documentation

Created by

🇦🇹Austria klausi 🇦🇹 Vienna

Live updates comments and jobs are added and updated live.

stale-issue-cleanup
To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 13 hours ago →
🇺🇸United States smustgrave
Thank you for creating this issue to improve Drupal.

We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024