The "Trust Path" is a technique used by ImpressCMS to put security-sensitive files on a location outside the area of a web server that is accessible from the web. This gives your site code access to the file content, but blocks access from the web.

The idea of a trust path is to offer better protection for files, folders and data which are more sensitive.

The problem

Traditionally, all the files of a PHP application reside in a folder in the web root of a server. By being in the web root, all these files are easily accessible with a web browser. For example: http://www.mysite.com/some_important_data.php can be accessed in a single click.

Now, if this file holds sensitive information and has not been properly protected, the information could be accessed. One way to overcome this is to move this file outside of the web root, so it will still be accessible by PHP scripts, but not directly with a web browser.

This is what the trust path is used for.

So concretely, what does it look like?

Let's say you have uploaded ImpressCMS on http://www.yoursite.com, and the physical path for this site is /home/yoursite/public_html/ then everything that is inside public_html/ would be accessible via a web browser. In this case, the recommended trust path location would be /home/yoursite/trust_pathabcdem where "abcdem" would be a random string.

Why a random string? Again, because we want to make it as difficult as possible for any malicious hacker to discover the real location of the trust path.

What is it used for?

The main file of the ImpressCMS application is, as you might have guessed, called mainfile.php. This file holds the keys to the database and other important information. The very first reason why we are using a trust path folder is to hold this sensiitive information.

The ImpressCMS installer will write the database access information in a file, with a pretty long and random name, and store it in the trust path folder! So the very file holding the keys to your site :

  • has a random name very hard to find
  • is stored in a folder, also with a random name, still very hard to find
  • and this folder is stored outside the web root, not accessible by a web browser

 

Last modified on 2015/6/14 by Anonymous
Comments
The comments are owned by the poster. We aren't responsible for their content.