Print

[Rezoyen]

If I were to setup several applications on an apache webserver what would be the most secure way to route requests and prevent file traversals? Is it through virtualhosts, permanent redirects, and a document root for each app?

As an example lets say I have example.com/app1 and then example.com/app2 and rather than dropping through a shared app you have to allow direct access to app1 and app2 separately and lock down their directories separately and route file traversing back to the central application file respective to either app1 or app2. I've heard .htaccess can do this but I don't like the idea of introducing an additional attack vector when it may be possible to get the same results in a more secure and cached form.

I'm reading through the documentation but they don't seem to take an opinionated approach - so feel free to point me to a topic in the official docs and I can followup on the reading.

[mario]

Sure a vhost for each application would do a good job. If you have the time, you may set up mod_security.