Deployment

Once your application is complete, or even before that you’ll want to deploy it.There are a few things you should do when deploying a CakePHP application.

Moving files

You are encouraged to create a git commit and pull or clone that commit orrepository on your server and run composer install.While this requires some knowledge about git and an existing install of gitand composer this process will take care about library dependencies and fileand folder permissions.

Be aware that when deploying via FTP you will at least have to fix file andfolder permissions.

You can also use this deployment technique to setup a staging- or demo-server(pre-production) and keep it in sync with your dev box.

Adjust config/app.php

Adjusting app.php, specifically the value of debug is extremely important.Turning debug = false disables a number of development features that shouldnever be exposed to the Internet at large. Disabling debug changes the followingtypes of things:

  • Debug messages, created with pr(), debug() and dd() aredisabled.
  • Core CakePHP caches are by default flushed every year (about 365 days), instead of every10 seconds as in development.
  • Error views are less informative, and give generic error messages instead.
  • PHP Errors are not displayed.
  • Exception stack traces are disabled.

In addition to the above, many plugins and application extensions use debugto modify their behavior.

You can check against an environment variable to set the debug level dynamicallybetween environments. This will avoid deploying an application with debugtrue and also save yourself from having to change the debug level each timebefore deploying to a production environment.

For example, you can set an environment variable in your Apache configuration:

  1. SetEnv CAKEPHP_DEBUG 1

And then you can set the debug level dynamically in app.php:

  1. $debug = (bool)getenv('CAKEPHP_DEBUG');
  2.  
  3. return [
  4.     'debug' => $debug,
  5.     .....
  6. ];

Check Your Security

If you’re throwing your application out into the wild, it’s a good idea to makesure it doesn’t have any obvious leaks:

  • Ensure you are using the Cross Site Request Forgery (CSRF) Middleware component or middleware.
  • You may want to enable the Security component.It can help prevent several types of form tampering and reduce the possibilityof mass-assignment issues.
  • Ensure your models have the correct Validation rulesenabled.
  • Check that only your webroot directory is publicly visible, and that yoursecrets (such as your app salt, and any security keys) are private and uniqueas well.

Set Document Root

Setting the document root correctly on your application is an important step tokeeping your code secure and your application safer. CakePHP applicationsshould have the document root set to the application’s webroot. Thismakes the application and configuration files inaccessible through a URL.Setting the document root is different for different webservers. See theURL Rewriting documentation for webserver specificinformation.

In all cases you will want to set the virtual host/domain’s document to bewebroot/. This removes the possibility of files outside of the webrootdirectory being executed.

Improve Your Application’s Performance

Class loading can take a big share of your application’s processing time.In order to avoid this problem, it is recommended that you run this command inyour production server once the application is deployed:

  1. php composer.phar dumpautoload -o

Since handling static assets, such as images, JavaScript and CSS files ofplugins, through the Dispatcher is incredibly inefficient, it is stronglyrecommended to symlink them for production. This can be done by usingthe plugin shell:

  1. bin/cake plugin assets symlink

The above command will symlink the webroot directory of all loaded pluginsto appropriate path in the app’s webroot directory.

If your filesystem doesn’t allow creating symlinks the directories will becopied instead of being symlinked. You can also explicitly copy the directoriesusing:

  1. bin/cake plugin assets copy

Deploying an update

After deployment of an update you might also want to run bin/cake schema_cacheclear, part of the Schema Cache Tool shell.