This may be a basic question. But, I was doing a vulnerability scan a clean Concrete install with OWASP Zap. It did alert that the composer.json and composer.lock were publicly accessible.
My questions are:
I don’t know if those files are required but just put a dot in front of filenames (if Linux based) and that’s all.
I did that last year and never looked back.
Also, make sure Apache/nginx/whatever doesn’t serve dotfiles. I believe that’s by default but doesn’t hurt to check.
You don’t want them to be accessible because they basically profile all the dependencies you have so an attacker can see if you have outdated or vulnerable versions of them.
They should generally have permissions set on them so that only your system user can access them, not the public.
Thanks for the info. I have adjusted the permissions so they aren’t public. But, out of curiosity, what are the consequences of removing them?