Ok, so the simple fix for this would be to open index.php, and simply add "exit()":
if(X3Config::$config["settings"]["diagnostics"] || isset($_GET["diagnostics"])) {
exit();
..
Matt wrote:they might contain sensitive information (noone is supposed to see my open basedir, php version or whatever)
I won't argue, because every website-owner is entitled to "paranoid"-level security. I would have to note, in reality, there is nothing anyone can make out of PHP version in the days of modern PHP, unless you have some truly insecure apps running on your server (in which case, they shouldn't be there in the first place). And basedir is irrelevant, as it would require PHP write access in the first place to achieve anything ... Just saying, but of course, one can't argue maximum security.
There are TWO reasons for this, one which you might find useful.
1. First of all, my X3 websites are pre-configured via Apache config (without using ".htaccess"), which kinda implies that the config is already correct and does not require diagnosing. You could do this yourself:
https://gist.github.com/mjau-mjau/f4acd ... 13a9ff488e Apache
https://gist.github.com/mjau-mjau/6dc19 ... e566a8457b Nginx
2. There are a couple of options you can apply in Apache config. X3_SERVER_CONFIG on basically means "don't check, this server is configured successfully". X3_HIDE_DIAGNOSTICS On means hide extended info (beyond the diagnostics that checks that folders are writeable etc). I'm not 100% sure that this can be used in a ".htaccess" file.
<Directory ${DOCUMENT_ROOT}>
SetEnv X3_SERVER_CONFIG On
SetEnv X3_HIDE_DIAGNOSTICS On
..
https://gist.github.com/mjau-mjau/b8fe3 ... 194706e6f5
Matt wrote:even though I have disabled the diagnostics entirely in the settings - therefore I would expect that they are never shown
The point of "show diagnostics" (enabled by default), is to run maintenance and make sure everything is working, immediately after installation. When all is good, "show diagnostics" can be disabled, effectively enabling the X3 website. Un-checking "show diagnostics" does not effectively disable diagnostics, as this is used a lot by users and myself to provide support to users.
There could perhaps be an option for this, but this is not how it currently works. Thanks for reporting! For now, you will need to use one of the possible solutions above.