To keep the configuration parameters many of us create include files and keep it inside the document root. Major concern regarding include files is the exposure of the source code through the user’s browser.
Includes files uses a .inc file extension. Apache has no idea about the include files.The DefaultType of Apache is text/plain. So in this scenario anybody can access the include file via URL and see the source code in the browser.
This can be easily avoided by reorganizing the application. Include files can be moved outside of the document root. The best practice is to consider that all the files and folders present inside the document root are public.By storing as much information out side the document root, you limit this exposure.
There are other ways too but do not rely on them. These include following:
– Instructing Apache to process .inc files as PHP
AddType application/x-httpd-php .inc
– Using a .php file extension for includes
– Instructing Apache to deny requests for .inc resources