From a00ef6440f98b0ff1052e5cf75b89d8dd3a38330 Mon Sep 17 00:00:00 2001
From: supahgreg <supahgreg@users.noreply.github.com>
Date: Sun, 5 Oct 2025 19:09:04 +0000
Subject: Add initial content (with issues).

---
 Securing-Cache-Directories.md | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 Securing-Cache-Directories.md

(limited to 'Securing-Cache-Directories.md')

diff --git a/Securing-Cache-Directories.md b/Securing-Cache-Directories.md
new file mode 100644
index 0000000..b78cafc
--- /dev/null
+++ b/Securing-Cache-Directories.md
@@ -0,0 +1,40 @@
+# Securing Cache Directories
+
+!!! notice
+
+    Official container images restrict `/cache` access by default. This page applies only to
+    legacy host installations.
+
+While nothing critical is stored in cache directories by tt-rss nor do files
+have easily guessable names, you may consider forbidding external access over
+HTTP to these directories anyway. This is not required, however.
+
+You may also consider restricting access to <code>config.php</code>, just in case.
+
+## Using nginx
+
+```nginx
+location /tt-rss/cache {
+    deny all;
+}
+
+location = /tt-rss/config.php {
+    deny all;
+}
+```
+
+Note: official docker setup has this out of the box.
+
+## Using apache (2.4 syntax)
+
+```apache
+<Directory /var/www/html/tt-rss/cache>
+    Require all denied
+</Directory>
+
+<Directory /var/www/html/tt-rss>
+    <Files "config.php">
+        Require all denied
+    </Files>
+</Directory>
+```
-- 
cgit v1.2.3-54-g00ecf