Document Root
Learning Focus
By the end of this lesson you will understand what the document root is, how to set it correctly, and why isolating it from the project root is a key security practice.
What the Document Root Is
The document root is the directory OpenLiteSpeed serves as the public web root for a site. Any file inside this directory can potentially be served to visitors. Files outside it are not directly accessible via HTTP.
The Most Important Rule
Point the document root to a public subdirectory, not to the full project root.
# BAD — exposes everything
Document Root: /var/www/example.com/
├── .env ← exposed!
├── config/ ← exposed!
├── vendor/ ← exposed!
└── public/
└── index.php
# GOOD — only public files are accessible
Document Root: /var/www/example.com/public/
└── index.php
warning
If the document root points to the project root, sensitive files like .env, config/database.php, or vendor/ are accessible to anyone who knows the URL.
Configuring the Document Root
In WebAdmin
- Navigate to Virtual Hosts → select your virtual host
- Go to General tab
- Set Document Root to:
/var/www/example.com/public/ - Save and Graceful Restart
Verifying
# Confirm the directory exists and has correct permissions
ls -la /var/www/example.com/public/
# Test that files are served correctly
curl http://localhost/index.html
# Test that parent directory files are NOT accessible
curl http://localhost/../.env
# Should return 403 or 404, NOT file contents
Directory Structure Best Practices
| Directory | Inside Doc Root? | Purpose |
|---|---|---|
public/ | ✅ Yes (this IS the doc root) | Index files, CSS, JS, images |
config/ | ❌ No | Application configuration |
vendor/ | ❌ No | Dependencies |
storage/ | ❌ No | Logs, cache, uploads |
.env | ❌ No | Environment secrets |
Key Takeaways
- The document root should be a narrow public directory, not the full project root.
- Keeping it narrow prevents exposing source files, secrets, or non-web assets.
- Always verify by testing that sensitive files cannot be accessed via HTTP.
What's Next
- Continue to Domain Mapping to connect domains to your virtual host.