I'm self-taught in web development and manage a few small websites using Apache. I've always structured my directories in a way where the URLs directly correspond to their locations. For example, the URL "mysite.com/dir/subdir/" points to "root/dir/subdir/index.php". Recently, a client mentioned that they've received advice about web security and are concerned that I haven't masked the directory structure. They want me to make sure that URLs are independent of my directory layout to obscure where files and folders are actually stored on the server. Is this a common security concern? What are the best practices to achieve this? Should I be implementing htaccess rewriting or using PHP redirects? Note that directory listing isn't exposed since directories without an index file redirect properly.
3 Answers
Wait, what? I thought this was standard? Why is it a security issue?
Do you have any sensitive information stored on your server? If yes, make sure it’s properly protected and not accessible via public URLs.
Best practice dictates that your main application entry and static assets should be in a public folder, while sensitive libraries or scripts should be placed in a different directory adjacent to this public one. This way, you keep your actual filesystem hidden from potential attackers.

Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads