3.7 Folder Exposed – Kirby Health Check

Hey Everyone,

today I wanted to update my website to 3.7.1.

After I did that I came along the new Health Check in the Panel.
So I’ve got 3 Error Messeges wich tell me that the site, content and kirby folder are probably exposed. I clicked on the messege and got directed to kirby’s security checklist wich tells me that there is maybe something wrong with my .htaccess.

I checked that and everything matched perfectly with the »vanilla-htaccess« (included in the plain kit). Then I tried out all the url checks
(e.g. http://www.yoursite/content/site.txt) and always got, like expected, redirected to the errorpage.

So I think everything is alright but I still have there errors in the Health check.
Any Idea how to fix this or how kirby checks the folder/file permissions?

Thank you!

What do you get in your browser console when you open system view?

Hey texnixe!

I get »Running system health checks for the Panel system view; failed requests in the following console output are expected behavior«
and »System health checks ended.«

Does this help?

Is that all? No xhr requests with their status?

This is what I see:

And I also get these system warnings on localhost:

Which is not surprising in my case, because my local system runs on Laravel Valet with Nginx, so the .htaccess is of no use and I haven’t bothered fixing the Valet Nginx configuration.

Hey texnixe,

I get no xhr-requests at all on my liveserver, but some on my dev server.

I get no warning on my localhost except the »https recommendation«

Kirby checks those URLs that are shown in the console screenshot I posted above. It seems that they are accessible. Guess the URLs itself are only shown when debugging is enabled for security reasons.

Got a little Update:
I can see the XHR-Requests now via Chrome Network View:

Hm, a 302 means that the URL is accessible after all. I get 404s for them on Apache and that’s what Kirby expects, I guess.


Is there a way to modify the htaccess to make a 404 out of the 302?
I mean, somehow change this line:

RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

Do you get the same result with a fresh Starterkit on your server?

I guess you could return a 404 directly from your htaccess instead of sending those request through Kirby’s router. But Kirby’s router should return a 404 for those requests, not a 302. So wondering if you have any routes in place that return the 302.

1 Like

Hey texnixe,

I found a solution wich is most likely a workaround.
And I think at some point I have to make a new installation of kirby to fix all those permission errors. I’m not the owner of the server it’s always a bit tough though.

So my solution was to block all folders with a custom .htaccess wich includes a simple

Deny from all 

when I try to access the files/folders directly with the url
(e.g. http://www.yoursite/content/site.txt) it throws an classic 403 error
instead of redirecting to the errorpage.
Anyway. Now I get the expected 403s and no Security Issues are shown.

Thank you!

I’m having the same issue.
Content, Site and Kirby folders all seem to be exposed.
Never had it before. htaccess is Kirby default.

Could the fact my site is hosted as an ‘Addon Domain’ within another sites cPanel account have anything to do with it?

Are you using any routes or other redirects anywhere?

no none.

Do you also get this information on localhost?

No it’s fine on localhost

Hm, an Addon Domain creates a separate virtual host that should be independent of the other site. Then it’s probably a problem with the configuration.

Does the other site also live in a separate folder, or does it sit in the main doc root?

Addon site is in a separate folder within the main root folder (public_html).

Main site:

Addon site:

What Kirby does to determine if the folders are accessible is check the http response for the following urls:

  • yourdomain/content/site.txt
  • yourdomain/kirby/composer.json
  • yourdomain/.git/config
  • yourdomain/site/blueprints/site.yml

So something seems to interfere with your add-on project’s .htaccess file.

What if you put that other site into a separate folder and point the domain to that new folder?

I’ve moved the Addon domain out of the main sites public_html folder into a folder on the same level.

Main site:

Addon site:

But still get the same issue.