Anonymous site visitors must not be able to download backups of your website
database. That’s why you should use a
private directory next to (and thus
outside of) your application’s
docroot as a protected assets path.
Boxfile, declare the “private” directory as permanent storage (see the
Boxfile documentation for details):
version: 2.0 shared_folders: - private
Configure the protected asset path on the File System page (Administer >
Configuration > Media: File system) as “
../private”. Here, the “Backup &
Migrate” module will automatically create a subdirectory named
for its backups.
When you view your assets directory via SSH/SFTP, you’ll find your backups below