Securing Your Site

Lock down your private files (and pretty-up URLs).

Because there’s no database, you must take an additional step to protect your site. This step disallows read access to Statamic’s system folders (_add-ons, _app, _config, and _content) and YAML settings files through the browser.

If this sounds hard, don’t fret. We’ve got you covered.

note The server configuration files below will also remove the /index.php from your URLs, making them nice and clean.

Running on Apache

Most web servers run Apache. If you aren’t sure which web server software you’re using, it’s most likely Apache. The easiest way to protect what needs protecting is by adding an .htaccess file to your website’s document root with a few rules telling your server what to do if someone tries to visit any of the protected files and folders via the web.

We’ve included an .htaccess file in the zip file that will account for most Apache configurations. Simply rename the included sample.htaccess to .htaccess and you’re done (after confirming that you can’t access your system files via the web browser).

Running on Nginx

Download this sample configuration and rename it to nginx.conf to secure your nginx-based server.

Running on IIS (Windows)

Download this sample configuration and rename it to web.config to secure your Windows-based server.