From 42fe16a545b2d7ef3a476dc347594384ac41a403 Mon Sep 17 00:00:00 2001
From: Jerome Jutteau <mojo@couak.net>
Date: Mon, 4 Sep 2017 22:57:19 +0200
Subject: [PATCH] [TASK] Add documentation about var folder protection with
 lighttpd

Signed-off-by: Jerome Jutteau <mojo@couak.net>
---
 README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.md b/README.md
index c62e252..752494c 100644
--- a/README.md
+++ b/README.md
@@ -143,6 +143,14 @@ location ~ /var-.* {
 }
 ```
 
+If you are using lighttpd, you can deny access to ```var``` folder in your configuration:
+
+```
+$HTTP["url"] =~ "^/var-*" {
+         url.access-deny = ("")
+}
+```
+
 You should also remove un-necessessary write access once the installation is done (ex: configuration file).
 An other obvious basic security is to let access users to the site by HTTPS (make sure `web_root` in you `config.local.php` is set with https).
 
-- 
2.34.1