As the title asks, is there any reason why I should not move the websockets folder from lucee’s context folder to a folder in webroot?
Shouldn’t really be a security risk. The code should fail if you call it via http – so it’s best practice to keep it out. What’s your reasoning to keep it within?
My Dev environment is almost a mirror of production, so the server is secured. There are only 2 ways I could make edits to the websocket.cfc.
#1: If I move it to webroot, when I save it, I sftp (keyed, no passwords) in and drop the update
#2: I would have to mount the websockets folder to a folder in webroot (so once again I am putting it in webroot) and then I can access it via sftp.
Then there is git. If I am pushing changes to servers, this file would not be in git repo, as the git repo would just be the webroot, and I would have to manually upload the file to x amount of servers running it.
unless the cfc has remote=true, it will do nothing if called directly?
A CFC is only callable via HTTP if it has functions with access="remote". If your listener CFC doesn’t have any remote functions, requesting it via HTTP won’t do anything.
You can point the directory setting in websockets.json straight at a folder in your webroot:
{
"directory": "/whatever/path"
}
Moving the websocket folder into your webroot is fine — there’s no security risk.
That said, I personally like to keep everything out of the actual webroot that doesn’t need to be there, less chance of shooting ones self in the foot
\model
\controller
\www
1 Like