Input Add warning when Document Root equals Application Root in Node.js apps

[Maarten]

Problem

When configuring a Node.js application in Plesk, users can set Document Root and Application Root to the same path. This creates a serious security vulnerability where server-side code (app.js, config files, database credentials, API keys) becomes directly accessible via HTTP.

Example: If both roots are set to /var/www/vhosts/domain.com/httpdocs/, accessing https://example.com/app.js will expose the application's source code and potentially sensitive information.

This is a common misconfiguration, especially for users new to Node.js deployments in Plesk.

Proposed Solution

1. Show a warning when Document Root and Application Root are set to the same path:

"⚠️ Warning: Document Root and Application Root are identical. This may expose your application code and sensitive files. Consider setting Document Root to a subdirectory (e.g., /public) that only contains static assets intended for public access."

2. Improve default behavior: When creating a new Node.js application, automatically set Document Root to `{Application Root}/public` instead of the Application Root itself. This follows standard conventions used by Express, Next.js, and most Node.js frameworks.

3. Add documentation link in the Node.js settings panel explaining the difference between Document Root and Application Root, with examples of secure configurations.

Current Workarounds

Manually set Document Root to a subdirectory (typically /public) that only contains static assets (CSS, images, client-side JavaScript), while keeping Application Root pointing to the main application directory containing server-side code.

 

[Sebahat.hadzhi]

Hi, @Maarten . Thank you for your input. We recently got a similar feature request and I will add your input as an addition to it for further check. I will follow-up with more details as soon as possible.