Section
12.2.3
Top Level
General
Place all included files into a location outside the document root, making sensitive data more secure and ensuring the included code will not be sent to the browser as plain text.
Java
Place all JSPs that are not intended to be directly accessible into the WEB-INF directory.
Natural Webagent
This does not apply to webAgent.
PHP

Store included code outside the document root

This will help prevent the code from being sent to a browser as plain text, and keep it more secure. For defense in depth, name included code with the '.php' file extension when possible. This will help prevent sensitive data from being outputted as plain text.

Use the require_once and include_once statements in place of includeand require. They will help prevent errors caused by multiple includes of any given function.