Dot-Path Blocking
OxPHP blocks access to any URL path containing a segment that starts with ., returning 404 Not Found. This prevents exposure of sensitive files like .env, .git/, .htaccess, .svn/, and .DS_Store that are commonly targeted by automated scanners.
This protection is always on and cannot be disabled. It applies to all routing modes (traditional, framework, SPA, and worker).
What is blocked
Any request where a path segment starts with . returns 404:
| Request | Result |
|---|---|
/.env |
404 |
/.git/config |
404 |
/.htaccess |
404 |
/.DS_Store |
404 |
/.docker/config.json |
404 |
/path/.hidden/file.txt |
404 |
/path/to/.env |
404 |
Single-level percent-encoded bypasses are caught as well: /%2egit/HEAD decodes once to /.git/HEAD and is rejected.
The .well-known exception
RFC 8615 defines /.well-known/ as a standard location for site-wide metadata. OxPHP allows access to sub-paths within .well-known, with restrictions:
| Request | Result |
|---|---|
/.well-known/security.txt |
Served as a static file |
/.well-known/acme-challenge/token |
Served as a static file (Let's Encrypt) |
/.well-known/openid-configuration |
Served if file exists, otherwise ENTRY_FILE fallback or 404 |
/.well-known |
404 (bare path) |
/.well-known/ |
404 (directory listing) |
/.well-known/test.php |
404 (PHP execution blocked) |
PHP files inside .well-known are never executed — they always return 404. This directory serves static content only.
MIME types are determined by file extension. Files without an extension (like openid-configuration) are served as application/octet-stream.
Limitations
Double-encoded inputs (/%252egit/HEAD) are decoded only once and remain /%2egit/HEAD, which is not recognised as a dot-segment by this layer. Standard HTTP clients and browsers do not double-encode, so this rarely matters in practice; if your upstream proxy normalises URIs before forwarding, single-pass decoding is sufficient.
See also
- Routing — routing modes and path security