It is EXTREMELY important that the
config.neon file, and indeed the entire
log, etc. are NOT accessible from a web browser. If these directories can be accessed directly from the Internet,
anyone will be able to see your passwords and other sensitive information.
How do you know if a file is protected? You can try to open it in a browser. If your site is located at
http://example.com/ and you have an
app/config directory with a
config.neon file located
there, try opening the URL
http://example.com/app/config/config.neon. The browser should report that the page does
not exist. If it displays the contents of the configuration file instead, you have a serious security hole in your site and need
to patch it.
It is your responsibility to protect critical directories from access from the web.
These directories must be located OUTSIDE the public folder (called document root). If your hosting would not allow you to create folders one level above the public directory, find another hosting. Otherwise, you run a significant security risk.