Allow directories that begin with a . except .env for websites!

Glitch currently blocks(returns 403) all directories that begin with a .

Hi @MagicalCat
Thanks for the suggestion, but I’m afraid that’s the point. For example, the .data is supposed to be used for local databases that might contain personal information. If you want it accessible, just don’t add the dot. Simple as that.


the problem is for some website ownership verifications, you need to add a certain file to .

it’s understandable for .data and .env and some other stuff
but i don’t think it’s nesscessary for all directories that begins with “.”

Can you elaborate on why the . in the directory name is necessary for the function of this.

i am trying to register my website onto something, and to prove ownership it asks me to add a file into directory .well-known

I’m assuming you’re working on a static site and it’s a bit of a security risk to allow files and directories that are denoted as “hidden” (which is what the dot prefix signifies) to be accessed from the open web. Just in a standard Glitch project that’d not only give access to .env and .data/ but also .git/ which includes the entirety of the project’s code history.

.well-known verifications are fairly commonplace but depending on your specific use case it may not need to be perpetually available. You could switch your project over to a dynamic app (Node, Python, etc.) and make use of a router to temporarily make a /.well-known path available. After verification you could go back to a static site. Or, if it does need to be perpetually verifiable you could always leave your app as a dynamic app.


tl;dr: it’s a security vulnerability risk

1 Like