'go()' in default template seems to expose sensitive folders


instead of a static 404/errorpage i managed to redirect the visiter back to the homepage.

in the default template

<?= go(site.url) ?>

This worked well. But for some reason the panel detects that sensitive folders (content, site and kirby) are accessable. This can also be testet with the plainkit.

The folders in fact are still not accessable, so in the frontend everything is fine. It seems just like an issue with the message in the panel.


You go($site->url()) doesn’t have an effect on sensitive folders being accessible, because that is a server side thing and should be handled in your server configuration. For Apache, this is done in our default .htaccess. For other servers, you have to implement the corresponding rules.

Hi, many thanks for your reply.
I know, that this is server side and handled by the .htaccess and like i mentioned it seems to be an issue with the message in the panel.

It can be testet with the plainkit.

  1. add the ‘go’-statement to the default template
  2. create a home.php to prevent to many redirects

→ message appears in the panel. Delete the ‘go’-statement → message disappears

Yes, in fact, the result you are experiencing is logical. Since you are pointing all URLs to the home page instead of to the error page (which is what they should do), all these URLs return an HTTP response code 200, when they should return a 400 to be considered as blocked.

Okay thanks, that makes sence!
But is it technically bad to use this as a errorpage alternative?

You mean redirect to the homepage? Personally, I think it’s not a good idea, because the user doesn’t understand what’s happening and why. The purpose of the error page is to tell the user that the address they tried to access doesn’t exist/does no longer exist and then give them a couple of links to go to or a search field.

I don’t really understand why you want to put a redirect in the default template.

Thanks for your advices!