Should Django Python apps be stored in the web server document root?

As the title states, I'm trying to figure out the best practice for where to store application files for a Python website on the server. Document root, or no?

I come from a land of PHP. :)

EDIT - To that end, links t开发者_StackOverflow中文版o any material describing the best practice differences between Python and PHP are hugely appreciated.

No. WSGI containers don't require the scripts to be in the document root, and so to increase security in case of a transient server error they shouldn't be placed in the document root.

There's no reason to store it in the document root.

While storing the app in the doc root isn't nessescarily a security problem - if configured correctly and handled carefully - storing it outside will remove a lot of headache and configuration work. That's the main reason not to do it.

I personally use https://bitbucket.org/acoobe/django-starter/ layout with buildout. So developed apps goes to apps folder and just used apps goes to parts/eggs folders (parts for packets from git, mercurial or svn and eggs for pypi located apps).

So the answer is NO. Everything should be placed in separate tidied folders. All your server need to know were is wsgi script and where is var dir. Well just like everyone else here said.

Everything has been said I think, so I will only elaborate a bit. Here is an explanation of how Apache maps URLs to files on disk: http://httpd.apache.org/docs/2.2/urlmapping.html. As you can see, the base rule is that only the files within DocumentRoot are exposed to the outside world. You can change that by doing the explicit import of other files or folders using e.g. Alias directive.

Now, you obviously don't want your Python scripts to be exposed to everyone - which means that you should keep them outside DocumentRoot and any other folder "imported" to DocumentRoot (using e.g. the mentioned Alias directive). What you want to do instead is to merely hook given URL to your Python program - if you use mod_wsgi, this can be done with WSGIScriptAlias directive. In other words, you should map the effects (result) of your script to given URL, instead of mapping the files themselves.

So - where you should keep your Python files? I would say it's a matter of personal taste - some people advise to not keep them in user folder (i.e. /home/xyz/) because e.g. Apache configuration flaw may expose user folders to the outside world. What's left? E.g. /usr/local/, /var/www - there's really no magic in picking home folder for your scripts.