Secure the database - munkireport/munkireport-php GitHub Wiki

SQLite or MySQL

If you're running Munkireport with a MySQL backend, you can stop reading. If you're using SQLite, read on.

Default protection

Munkireport ships with an .htaccess file that should protect the app directory on an Apache web server. It also contains a web.config file that should do the same on an IIS web server. But webservers are complex beasts and global configurations may interfere with the security settings. And if you're using nginx you don't have any out-of-the-box protection at all.

Are you safe?

First check if the database is exposed to the world by trying to download it with a browser: https://yourserver.fqdn/app/db/db.sqlite

If you can download the file, your data is publicly available which is a Bad Thing™.

Solutions

• Make sure the database directory is out of the webroot.