Deny access to all dot files by default
A lot of web applications that are either built or simply installed on a website use dot files and folders, whether those be .htaccess, .git, .env, etc.
Generally speaking dot files and folders are used to store either sensitive files or backend configuration which you would never want users to be able to access.
By default Apache has some protection built-in to restrict accessing dot files, but Nginx does not. This creates a potential security risk, for example I might install a web application or build one which has dot files in the public root, these most likely would be .htaccess and .git folders. Now if the site was running using Apache I probably wouldn't need to worry, but if I disable Apache and use only Nginx, these dot files and folders become accessible, and there is no guarantee that I would remember or even know I needed to deny access to dot files, I might simply assuming Plesk or the web server would do it for me. Just today I went through all of our websites and added additional Nginx configuration to restrict access to dot files and folders, but this means for months someone may have been able to read .htaccess files and .git folders, giving them insight into potentially sensitive information. I imagine I'm not the only one who didn't consider that Nginx doesn't deny access to dot files, so imagine how many similar cases are out there.
To address this issue I am proposing that Plesk add new default configuration to each website in the Nginx config which denies access to dot files, and then provide an option in the "Apache & nginx Settings" screen to enable access to dot files, this in the rare case where the administrator might want dot files to be accessible (maybe Plesk is running on an internal dev environment or something similar).
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
Gabriel T commented
I do think that's important as well. As it is now it's tedious to do it on a subscription basis. At least give us an option to turn it on /off