Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Please ensure, like the configuration below, your web server directs all requests to your application's public/index.php file. You should never attempt to move the index.php file to your project's root, as serving the application from the project root will expose many sensitive configuration files to the public Internet:
So now I am little worried what's the actual process is before in laravel 8 I used to use this code in my root htaccess and it was running good.
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ ^ [N]
RewriteCond %{REQUEST_URI} (\.\w+$) [NC]
RewriteRule ^(.*)$ public/ [L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ server.php
2.But Laravel 10 doesnot have server.php. I tried to include this code into my Laravel 10 project's root htaccess also server.php along with public folder untouched, but the issue with it is that www.abc.com website doesnot loads but when I put www.abc.com/public the website loads. I dont want this, so i removed public folder and did what i have mentioned to my 1. part. Please suggest me a secure way of doing it.
There are several past post where myself and others have gone over correctly setting up laravel.
One is :
https://laracasts.com/discuss/channels/tips/hosting-on-shared-server-best-practice
But there are more. But you have to point to public as your document root. I put main laravel out of web.
Edit:
Also digital ocean and many other host has guides for laravel setup.
what you are saying is www\public_html\public from my cpanel? If is then it would be a good practice, please explain. I am confused with it.
@babai9 see these:
https://laracasts.com/discuss/channels/servers/deploy-on-shared-server?page=1&replyId=418233
But you can do your own searches. Setting up laravel has been covered so many times.
Edit:
For shared I do this: http://novate.co.uk/deploy-laravel-5-on-shared-hosting-from-heart-internet/
@jlrdw I checked all of this links you have posted before hand, want to know the secure way is the SSH one is secure or .htaccess one, my one is shared hosting so I think the best possible way is .htaccess, what do you think?
SSH one is secure or .htaccess one
Two different things. You want ssh on a live site and the htaccess is for apache.
Which are you using apache or nginx.
Edit:
The htacces laravel comes with shouldn't need changing.
@babai9 ssh, git clone and composer to get your code
If your provider does not support this, get a new provider
@jlrdw apache, i dont have SSH. So I think need to go on with .htaccess, but I am still very confused why all are going for SSH? Why SSH is mostly preferred? And if I need to do know with .htaccess, how can I proceed as you know the way I have chosen is not recommendable by laravel docs.
@Snapey can't get a new provider as the hosting is already been purchased, and for now we can't afford more than that. Can you please suggest me a way other than SSH for now as you know the process I have chosen is not recommendable? Also, can you please explain why SSH is preferred? really SSH is kicking me onto my dreams now, i searched a lot of docs and mostly all are saying to use SSH, but no where I can find why SSH?
@babai9 ssh allows you to run command line instructions like git clone to pull your code from a repository, run composer install to get a full copy of the vendor folder, and also run useful commands like php artisan config:cache
Talk to your provider. Many CPANEL installs allow SSH access.
@Snapey I talked with my provider they are asking to buy a higher plan which is out from our budget right now, although I got one of your answer in here https://laracasts.com/discuss/channels/laravel/laravel-10-change-public-folder-to-public-html-on-shared-server?page=1&replyId=891620 to be really helpful.
@babai9 If you’re “stuck” on shared hosting then:
public directory to public_html in your Laravel project.You should not try and “hide” your sensitive files using .htaccess. That’s not the solution and it’s not secure.
@martinbean Thanks for your reply but is this process is secure? Can you explain please?
@babai9 if you have main laravel out of web folders and point to public as document root you are good.
I don't understand what part of this you don't understand. .env is out of web.
- all of main laravel here (folder above public_html)
- public_html
-- stuff that was in public only goes here in the public_html folder
Yes it's secure when setup correctly. But the http://novate.co.uk/deploy-laravel-5-on-shared-hosting-from-heart-internet/ guide also is another secure setup, just a different folder structure.
But again, correctly setting up laravel has been covered many times on this forum.
If that worried then get a Digital Ocean account and host there or AWS.
Edit:
A proper setup doesn't mean all is secure, you have:
More on image security:
https://symfonycasts.com/screencast/symfony-uploads/file-naming#play
https://symfonycasts.com/screencast/symfony-uploads/upload-in-form#play
You should study and learn this stuff yourself, Google different security terms.
@jlrdw I dont want to break the recommended folder structure of laravel and the accepted way I understood is with SSH here, well structured https://laravelsharedhosting.novate.co.uk/, you got me wrong with file uploading and sql injection part I know them and really my concern was not with them, I did how much I have learned to secure the files. Some shared hosting has lots of restrictions, which I have not known before that's why my htaccess code was not running but before that it was working fine in other hosting, support told me its server specific. And also, if I need to be with them then to choose htaccess, or get a provider who can provide SSH. The process you mentioned is also good, I learned about that but again it can break the structure, I clearly want to go with SSH now, and will upload it accordingly. I got three days trial from a provider with SSH so I will first upload the fresh laravel version and test it, if all goes right will purchase it. Although it was a great help from you friend,.
@babai9 Yes, it’s secure, because you’re not dumping your application code in your public_html folder like you were if you then needed a .htaccess file to rewrite requests.
Thanks @jlrdw @snapey @martinbean I got what do I want to know finally, and at conclusion need to get SSH.
@babai9 without ssh just upload with ftp.
But do you mean ssl (https). Then yes.
@jlrdw no its SSH friend, the problem was not with htaccess, it was with the hosting provider which I was using, the same htacess is working fine for hostmonster, or in hostgator but not for godaddy, which is now solved after contacting with support as they finally recommend me to get a higher plan or change the provider.
Please or to participate in this conversation.