Lock the panel by default?

Hey there,

I was just thinking about the panel in K3. If I install Kirby3 it always comes with the panel, right? What if I do not use the panel and write all my content directly into my markdown.

In this case I may not think about the panel, deploy my site and be happy. But what could happen now is, that somebody opens mysite.tld/panel. The install-procedure will start, the visitor can now setup an account and has access to my site. This access might be very limited because there won’t be any specialized blueprints, but she/he has access.

Wouldn’t it be good to lock the panel by default and init the setup by a config-var or something like that?

  1. Installing the Panel on a remote server is not possible without an explicit config setting.
  2. You can completely disable the Panel and the API in your config; without these, the Panel (just a bunch of JS/CSS files), can’t do anything
  3. You can even delete the Panel folder completely, I that’s what you prefer, but it’s not necessary from a security perspective with the config options set as above.

Thank you! I wasn’t aware of that, it just came into my mind after working locally with it.