Securing Your Site
Lock down your private files (and pretty-up URLs).
Because there’s no database, you must take an additional step to protect your site.
This step disallows read access to Statamic’s system folders (_add-ons
, _app
, _config
, and _content
) and YAML settings files through the browser.
If this sounds hard, don’t fret. We’ve got you covered.
note The server configuration files below will also remove the
/index.php
from your URLs, making them nice and clean.
Running on Apache
Most web servers run Apache.
If you aren’t sure which web server software you’re using, it’s most likely Apache.
The easiest way to protect what needs protecting is by adding an .htaccess
file to your website’s document root with a few rules telling your server what to do if someone tries to visit any of the protected files and folders via the web.
We’ve included an .htaccess
file in the zip file that will account for most Apache configurations.
Simply rename the included sample.htaccess
to .htaccess
and you’re done (after confirming that you can’t access your system files via the web browser).
Running on Nginx
Download this sample configuration and rename it to nginx.conf
to secure your nginx-based server.
Running on IIS (Windows)
Download this sample configuration and rename it to web.config
to secure your Windows-based server.