I'm setting up a LAMP stack on Ubuntu 20.04, and had this recent discussion with a colleague about the fact that it's better to not keep the PHP scripts of all of your stack (classes, API Controllers etc.) within the web directory of your server, as they're publicly available. In any case of bad configurations, the worst case scenario is that your php files could be output in plain text to the browser. Although all of this sounds a bit weird to me, some posts seem to confirm this.
So I wondered, let's say I've set my DocumentRoot in apache to www/html, and I want to load all of my php scripts into /prod_code. How can I make sure that these files can only be run if required in their specific scenario of www/html/index.php, and nothing else, and especially not publicly via the web root?
I've also started going through this documentation, but I am a little unsure about how can I find out if the php installation of my server is running as an apache module or if it's the cgi binary, hence I do not understand how I can predict the changes of options as doc_root, etc..?
