Security warning

It is EXTREMELY important that the config.neon file, and indeed the entire app, log, etc. are NOT accessible from a web browser. If these directories can be accessed directly from the Internet, anyone will be able to see your passwords and other sensitive information.

How do you know if a file is protected? You can try to open it in a browser. If your site is located at and you have an app/config directory with a config.neon file located there, try opening the URL The browser should report that the page does not exist. If it displays the contents of the configuration file instead, you have a serious security hole in your site and need to patch it.

It is your responsibility to protect critical directories from access from the web.

These directories must be located OUTSIDE the public folder (called document root). If your hosting would not allow you to create folders one level above the public directory, find another hosting. Otherwise, you run a significant security risk.