dirbusting or .htaccess?

[unusualevent]

What prevents someone from misconfiguring apache such that /config.php is browsable?

e.g. shouldn't there be a mention of setting up .htaccess?

[virtadpt]

Set up selfauth and try loading your config.php file in a browser. You should get a zero-length response from the web server because all it does is set four variables. It doesn't actually output anything.

[unusualevent]

best practice PHP nowadays is that you should keep your configs / .envs one directory above the public one, just in case your web server interprets it as a static file.

I'm aware that if PHP interprets it it'll be blank.

If someone's server is set up wrong, it'll leak the config.

it's not best practice php to leave it in the same folder.

[virtadpt]

True. However, if somebody's server is set up wrong, selfauth won't work at all because index.php will get displayed to the user also.

Not trying to refute your point (you're right), just making an observation after testing yesterday.

[unusualevent]

yup definitely seen where somebody has a working PHP setup but they also have a second HTTP server (or a second server directive) that can see the same directory.