Fix Improper Assets Management in CodeIgniter

Improper Asset Management in CodeIgniter usually boils down to 'Shadow APIs' and exposed internal directories. When you leave old controller versions active or fail to properly isolate the webroot, you're handing an attacker a map to your forgotten, unpatched attack surface. If your .env file is reachable or your 'writable' folder is indexed, the game is over before it starts. We fix this by enforcing strict routing and rigid directory isolation.

The Vulnerable Pattern

// app/Config/Routes.php
$routes->setAutoRoute(true); // DANGEROUS: Allows any controller method to be called via URL
// Forgotten legacy endpoint left in production
$routes->get(‘api/v1/internal-test-debug’, ‘OldAdminController::debugTools’);
// Insecure .htaccess (allowing access to system folders)
// RewriteRule ^(.*)$ index.php/$1 [L]

The Secure Implementation

To mitigate Improper Asset Management, first disable 'autoRoute'. Leaving it enabled allows attackers to fuzz and discover 'hidden' controllers you forgot to delete. Second, ensure your web server's DocumentRoot points specifically to the /public directory, not the project root; this prevents the exposure of sensitive files like .env, composer.json, and the /writable folder. Finally, audit your Routes.php to prune legacy endpoints (v1 APIs) that lack the security headers or middleware applied to newer versions.

// app/Config/Routes.php
$routes->setAutoRoute(false); // Disable auto-discovery; only explicit routes allowed
// Use environment-based route logic
if (ENVIRONMENT !== ‘production’) {
$routes->get(‘dev/tools’, ‘DevTools::index’);
}
// Explicitly define only active, audited assets
$routes->get(‘api/v2/users’, ‘UserController::index’);
// Ensure .env and system files are above the webroot
// Move all public assets to the /public folder and set it as the DocumentRoot in Nginx/Apache