No one on the engineering team had created it. The timestamp matched the attacker’s first POST request. She opened it.
| Do | Don't | |----|-------| | Serve your app from public/index.php with vendor/ outside the web root. | Expose vendor/ to the internet. | | Use .htaccess or nginx rules to block access to vendor/ . | Rely on "security by obscurity" with index files. | | Run composer install --no-dev on production to remove PHPUnit entirely. | Leave PHPUnit in production, even if unused. | No one on the engineering team had created it