[Security][Proposal][WIP] Deny explicit requests to app.php/

web/app.php

@@ -3,6 +3,20 @@
 use Symfony\Component\ClassLoader\ApcClassLoader;
 use Symfony\Component\HttpFoundation\Request;
 
+// This check prevents explicit access to front controller, except while Apache
+// mod_rewrite fallback
+// Feel free to remove this, extend it, or make something more sophisticated.
+if (preg_match('#^/(.[^/]+)#', $_SERVER['REQUEST_URI'], $matches)
+    && $_SERVER['SCRIPT_NAME'] === $matches[0]
+) {
+    if (false === stripos($_SERVER['SERVER_SOFTWARE'], 'apache')
+        || (function_exists('apache_get_modules') && in_array('mod_rewrite', apache_get_modules()))
+    ) {
+        header('HTTP/1.0 404 Not found');
+        exit();
+    }
+}
+
 $loader = require_once __DIR__.'/../app/bootstrap.php.cache';
 
 // Enable APC for autoloading to improve performance.