3.7 Folder Exposed – Kirby Health Check

Hey Everyone,

today I wanted to update my website to 3.7.1.

After I did that I came along the new Health Check in the Panel.
So I’ve got 3 Error Messeges wich tell me that the site, content and kirby folder are probably exposed. I clicked on the messege and got directed to kirby’s security checklist wich tells me that there is maybe something wrong with my .htaccess.

I checked that and everything matched perfectly with the »vanilla-htaccess« (included in the plain kit). Then I tried out all the url checks
(e.g. http://www.yoursite/content/site.txt) and always got, like expected, redirected to the errorpage.

So I think everything is alright but I still have there errors in the Health check.
Any Idea how to fix this or how kirby checks the folder/file permissions?

Thank you!

What do you get in your browser console when you open system view?

Hey texnixe!

I get »Running system health checks for the Panel system view; failed requests in the following console output are expected behavior«
and »System health checks ended.«

Does this help?

Is that all? No xhr requests with their status?

This is what I see:

And I also get these system warnings on localhost:

Which is not surprising in my case, because my local system runs on Laravel Valet with Nginx, so the .htaccess is of no use and I haven’t bothered fixing the Valet Nginx configuration.

Hey texnixe,

I get no xhr-requests at all on my liveserver, but some on my dev server.

I get no warning on my localhost except the »https recommendation«

Kirby checks those URLs that are shown in the console screenshot I posted above. It seems that they are accessible. Guess the URLs itself are only shown when debugging is enabled for security reasons.

Got a little Update:
I can see the XHR-Requests now via Chrome Network View:

Hm, a 302 means that the URL is accessible after all. I get 404s for them on Apache and that’s what Kirby expects, I guess.

Hey!

Is there a way to modify the htaccess to make a 404 out of the 302?
I mean, somehow change this line:

RewriteRule ^content/(.*)\.(txt|md|mdown)$ index.php [L]

Do you get the same result with a fresh Starterkit on your server?

I guess you could return a 404 directly from your htaccess instead of sending those request through Kirby’s router. But Kirby’s router should return a 404 for those requests, not a 302. So wondering if you have any routes in place that return the 302.

1 Like

Hey texnixe,

I found a solution wich is most likely a workaround.
And I think at some point I have to make a new installation of kirby to fix all those permission errors. I’m not the owner of the server it’s always a bit tough though.

So my solution was to block all folders with a custom .htaccess wich includes a simple

Deny from all 

when I try to access the files/folders directly with the url
(e.g. http://www.yoursite/content/site.txt) it throws an classic 403 error
instead of redirecting to the errorpage.
Anyway. Now I get the expected 403s and no Security Issues are shown.

Thank you!