Posting this in case someone else runs into this issue: On some hybrid nginx/apache hosting platforms (ie Cloudways and RunCloud), you may get a warning by your Kirby installation that your content folder is exposed.
This is because requests to recognized dynamic data (ie php files) are handled by Apache, while all requests to static files are handled by nginx. Kirby has a rule in its .htaccess file to redirect requests from the /content/ folder to your error page, but only Apache reads the .htaccess file; nginx ignores it entirely.
As a result, requests to static files in your /content/ folder are not redirected, which means that requests like domain.com/content/site.txt expose your websites content files.
You have a couple options:
- Best: Do a custom folder setup that moves your
/content/folder out of the web root entirely: Custom folder setup | Kirby CMS - Alternately, I don’t know how it works for all hosting providers, but for Cloudways I was able to open a support ticket, asking for a Nginx “bypass” for the
/content/folder. You’ll need to provide them with a list of file extensions you want to bypass..txtis a bare minimum, but you’ll want to see what other content is stored in your content folder and include them all. For me, this meanttxt svg jpeg jpg png gif.
Hope this helps someone!