Security: Should I move vendor dir and composer.json outside of document root?

1. Just started working with composer.

2. Installed some stuff with composer into my <documentroot>/vendor/ dir.

3. Now, everybody (every hacker) can read my composer.json at http://foo.tld/composer.json

4. Then they know, which software is installed. Then they may probe my <documentroot>/vendor/ dir with URLs like http://foo.tld/vendor/symfony/.

What should I do?

a) I could:

• chmod 0600 composer.json
• put a .htaccess into the vendor dir, to deny all access

b) Move the vendor dir outside the document root (which is not always possible in shared hosting environments.

You should move it out of DOCUMENT_ROOT.

The usual structure of a framework application is that the top level directory (containing stuff and also the composer.json file) is NOT the DOCUMENT_ROOT. There usualls is a dedicated directory for this, maybe named "public" or "htdocs" inside that contains all the usual assets (CSS, JS, pics) next to "the" central index.php file.

If you can't get that layout with a shared hosting, you probably should move on, because you cannot hide files from direct HTTP access there.