Hacker News new | past | comments | ask | show | jobs | submit login

Probably having .htaccess / .env / database configuration / files that are not supposed to be public be exposed.

For instance, Rails has a public/ folder for files that are going to be served. And jekyll hides files by pattern-matching them[1].

Zero doesn't seem to have exclude folders by default. The solution would be to run Zero is a subfoler and require file in the parent folder which would act as the tree's root.

[1]: https://help.github.com/en/articles/files-that-start-with-an...

Currently, files starting with _ (underscore) are hidden in zero. This is still a feature spec we need to finalize as this can create confusion. Maybe a .zeroignore file (as suggested in another comment) would be a better idea.

Why not reverse that and use a whitelist instead. It’s a lot easier to decide what folders and files should be served than to think of all the things that shouldn’t.

Nextjs uses a pages/ subdirectory which gives you implicit routing, without having to compromise on the whitelist aspect. I think it's a better compromise.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact