6.3.2 Private Files

It is obviously not desirable that configuration files or Python sources are directly accessible to the web. To this end, Draco blocks the following file extensions from access through the web: .ini, .py, .pyc, .pyo, .pyw, .log and .inc. Any attempt to access a file with one of these extensions will result in a code 403: forbidden.

There is a second class of files that is considered private. Any file or directory that starts with two underscores (__) is private. This allows you to create private directories under the document root that are not accessible to the web. This can be used to store files that are related to the website, but cannot be accessible to the web. As an example, I always use a directory __sql__ that contains all the table definitions of the website. They are nicely stored together with the rest of the website, but are not accessible to the web.