Installing Matomo i see a lot of files in the public folder (usually htdocs in apache) . This means the Readme, node_modules etc. are all Visible in the Webserver, and in case of Node the Sourcecode is all Visible. If there is some sensible data in config files, it will all be open.
I think a lot could be blocked with a .htaccess file which filters which files are available to load in webserver and blocks the others. but there are many files and its not easy to have such a black-list/white-list and it would be needed to be maintained with the rest of files longterm.
had nobody had this issue before, i guess there are thousands of installations, and the folder structure is just bad practice.
i understand its a simplified approach put all in one folder so its easier to install (just put all in htdocs) . I know also Wordpress is bad at this, but at least there you have plugins like sucuri where you can harden folders and files and hide them from public and reduce attack vector by design. This is called “defensive programming”, by good architecture it’s hard to make security bugs.
Feel Free to point me to the right place here in Forum or Support to discuss this.