EXC | DEV | Documentation | Version 1.0

Protecting your php code

It is a good idea to isolate your code so that only the absolute minimum is reachable via traditional http.

In EXC we recommend that you place your code in a folder named src. To protect this folder you just need to add a .htaccess file with the following line:

deny from all

This prevent users to make direct http request to your files.

.htaccess File

EXC uses an .htaccess file under APACHE to add some rewrite rules and add some security options.

The following is an explanation of options recommended for your .htaccess.

Security entries

Options -Indexes

Disable directory listing

Lock down files

<files app.php>
	order allow,deny
	deny from all
<files controller.*.php>
	order allow,deny
	deny from all

Disable access to special files, request for these files will get a HTTP 403 Forbidden error.

Rewrite Rules

The rules for short-hand urls included in the .htaccess are mainly for scenarios where you have one instance of EXC that is acting as an application server. In a more typical setting of stand-alone applications these rule may not be considered that much useful, but we urge users to keep them on their deployments.

Short-Hand for the javascript and css folder

RewriteRule  ^((?:[^\/]*/)*)(a\/)([A-Za-z0-9-_\.]+\.js)$  $1/assets/js/$3 [L,QSA]
RewriteRule  ^((?:[^\/]*/)*)(a\/)([A-Za-z0-9-_\.]+\.css)$  $1/assets/css/$3 [L,QSA]

These rules allows to access files in your application's assets/js/ and assets/css/ by just using the shorthand myapp/a/script.js or myapp/a/style.css which will map to your corresponding js or css folder.

Short-Hand for the assets folder

RewriteRule  ^((?:[^\/]*/)*)(a\/)([A-Za-z0-9-_\.]+\.[a-z]{2,3})$  $1/assets/$3 [L,QSA]

This rules allows you to refeer to you assets folder just using a/, for example myapp/a/myfolder/afile.css will be myapp/assets/myfolder/afile.css.

Controller Mapping

RewriteRule  ^((?:[^\/]*/)*)(c\/)([A-Za-z0-9-_]+\.[A-Za-z0-9-_]+|[A-Za-z0-9-_]+)$  exc/loader.php [L,QSA]

This rule adds what we call a controller URL. A controller url look like this:

/myapp/c/main or /myapp/c/main.loadRecord

In the example above the part after /c/ is what we call the controller segment. It tells EXC that you are invoking a given action in your controller. In the first example the controller is main and it does not specify an action. The second example also calls the controller main but it specifies the action loadRecord. A controller url is send to /exc/loader.php to dispatch the request.

In this rule we have to ensure that we have a correct path to exc/loader.php depending on your setup. As provided in this example it would look for the folder exc in the same folder that you have your .htaccess file.

In a setup where EXC is a shared instance we may want to place this rewrite rule in a .htaccess on the same folder where you put the shared instance of exc. This will allow for some handy urls, for example lets say we put our exc folder to be shared in the folder apps of our document root, then we can do:


JWT Support

RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Enable JWT support by copying any Authorization header to an environment variable.

Optional entries

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC,OR]
RewriteRule \.(jpeg|JPEG|jpe|JPE|jpg|JPG|gif|GIF|png|PNG|mng|MNG|svg|SVG)$ - [F]

Prevent image hot linking, explained here.

Fork me on GitHub