Last Updated: February 25, 2016
· rizwaniqbal

Make Laravel(4) work without `public/` in the URL

There is a huge security risk involved if you don't hide your app and other directories via .htaccess. Even then the files in the root directory wil be accessible via the browser. Use this method only if you can hide all important files on the browser.

I saw a lot of tricks to modify the .htaccess or to place the other directories outside the root and to simply point the vhost configuration of your apache web server to point to the public directory. None of these make sense when you are developing on an ubuntu box and want to replicate a production environment.

A little bit of snooping around the code will help you competely remove public from the URL. If you have a git repository around the project, you can put this commit in a different branch and cherry-pick it just in case you want to roll back for a future version.

The steps are simple:

  1. Move the contents of the public directory into your application directory.

  2. Modify the public value in bootstrap/paths.php return value to 'public' => __DIR__.'/../../<application-folder>',

  3. Modify the paths in the index.php file that you just moved from the public folder to :

// require __DIR__.'/../bootstrap/autoload.php';
require __DIR__.'/bootstrap/autoload.php';

// $app = require_once __DIR__.'/../bootstrap/start.php';
$app = require_once __DIR__.'/bootstrap/start.php';

4 Responses
Add your response


This sounds like it could be a security risk. The whole point of having a public directory, along with keeping things organized, is that it puts all your important and "confidential" files behind the site root so that people can't go to <website_url>/app/config/database.php and get a peek at your database information.

over 1 year ago ·

Yes, but you think hiding it using .htaccess would work

over 1 year ago ·

As @searsaw said, this is a massive security risk waiting to be exploited.
I have my Apache VHost pointed to the /www/laravel_app/public directory which of course loads an index.php file. In this index.php file that's located in the public directory, I have a few lines...

require __DIR__.'/../bootstrap/autoload.php';
$app = require_once __DIR__.'/../bootstrap/start.php';

Then, in the same public directory my .htaccess is setup as...

<IfModule mod_rewrite.c>
    Options -MultiViews
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

Routes work as expected without the public prefix, no access to non-public parts. Could even put an .htaccess in the laravel_app root that explicitly disallows access to the app, bootstrap, and vendor directories, but this method is already secure enough.

over 1 year ago ·

Yeah, I have restricted access to directories but parts like composer.json will still be accessible which is kinda embarrassing. I have reverted back to using this with public and have updated my virtual host configuration on my production and staging server.

over 1 year ago ·