Sure, that’s always sound advice. However, most projects are usually designed in... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		AndroTux on Nov 29, 2023 \| parent \| context \| favorite \| on: Roundcube open-source webmail software merges with... Sure, that’s always sound advice. However, most projects are usually designed in a way that their logs are either not exposed at all (due to not being in the webroot for example), or have measurements in place to avoid exposing them (like WordPress for example). Roundcube just puts them there and you have to actively think about excluding them from your webserver configuration. Plus, they dump really sensitive information in there by default. That’s why I wanted to explicitly point it out in this case.

crtasm on Nov 29, 2023 [–]

Can you configure Roundcube to store them outside the webroot?

iggldiggl on Nov 30, 2023 | [–]

If you're running Roundcube on its own subdomain, you just set the webroot to the "public_html" subfolder and then nothing else is accessible.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact