You might have seen it in your Apache logs, but with Magento sites, your webserver might show messages that access to the file app/etc/local.xml. This is good, but web-access to the Magento local.xml file could indicate serious security problems. But what is causing this behaviour, and how to stop this from happening.

Magento checks for security

The message looks something like the following:

client denied by server configuration: MAGENTO_DIR/app/etc/local.xml

If you would check a bit further, you might notice that this message occurs when you try to visit the file app/etc/local.xml from within your browser: This is very good, because htaccess-rules should exist to block access to this XML-configuration file containing sensitive information about your database amongst others.

But you might notice that this message is actually logged by Apache for every webpage in the Magento Admin Panel. If the Magento backend is visited a lot, this actually floods the Apache logs - or even worse, it downgrades the performance of your backend slightly.

Magento security notifications

This behaviour can be traced down to the following PHP-class:

app/code/core/Mage/Adminhtml/Block/Notification/Security.php

That class contains a method that tries to fetch the app/etc/local.xml through CURL, and if this succeeds it will generate a security error. But if you're a site administrator and you know for sure that your security is up to date, you actually might want to get rid of the message.

Getting rid of the security notification

To get rid of this security check, do not attempt to hack the Magento core (as some forum threads have suggested in the past). Instead, you can just modify the admin-theme to remove this check. Open up the following file or create it if it does not exist:

app/design/adminhtml/default/default/layout/local.xml

Then add the following code to it:

<layout>
    <default>
        <remove name="notification_security" />
        <remove name="notification_survey" />
    </default>
</layout>

This removes the blocks notification_security and notification_survey from the backend-pages entirely, skipping therefor the security check. No core hacks involved.