I had a backend in Laravel and a frontend in react. Now a guy has converted my frontend to next.js.
My question, I see he had put my frontend in the public folder and backend in the public folder too, Before he converts I had a folder name website app outside the public folder.
But is it secure to have both backend and frontend in the public folder? Can someone download the whole website files when I have everything in the public folder?
It sounds a little weird to me.
You are right, the whole project shouldn't be in the public folder, as its name says, it is for things that should have public access, and the other non-public files should be in folders above the public folder. This is a good practice, but put in mind that there is no best place to store your files safely. The safety of your sensible files is only a result of a combination of good security measures adopted in the server.
If your project is made with Laravel you should already have a public folder inside it, THAT is what should be inside the public folder on the server. Laravel treats the public folder as the content that is already compiled and "ready to show it" to the browser. Your views, css and js files are in the folder resources, and if you check your public folder it will have a css folder, a js folder and index.php. This is because Laravel allows the user to use Blade and Sass for example, and these things need to be processed and converted into the files you see in the public folder so the browser can understand them.
So you should use the public folder that Laravel gives you and not post the whole project in the public folder.