One of the most common and dangerous security misconfigurations is leaving sensitive files accessible on your web server. Database credentials in .env files, backup archives, Git repositories, and configuration files — these are treasures for attackers and surprisingly easy to find with simple URL guessing or directory traversal techniques.

What Are Sensitive Files?

Sensitive files are any server-side files that should never be publicly accessible. They typically contain:

Credentials: Database passwords, API keys, secret tokens
Configuration: Server settings, internal IP addresses, debug flags
Source code: Application logic, business rules, proprietary algorithms
Backups: Database dumps, compressed archives of the application
Version control: Git history containing commit history and past secrets

Most Commonly Exposed Files

Environment and Configuration Files

.env — Environment variables with database URLs, API keys, secrets
.env.local, .env.production — Environment-specific variants
config.php, config.yml — Application configuration
wp-config.php — WordPress database credentials
settings.py — Django settings with SECRET_KEY
application.properties — Spring Boot configuration

Version Control Files

.git/ — Entire Git repository including history and credentials
.git/config — Remote repository URLs (may contain tokens)
.svn/ — Subversion metadata
.hg/ — Mercurial repository data

Backup and Archive Files

backup.sql, dump.sql — Database backups with all data
backup.zip, backup.tar.gz — Compressed application backups
*.bak, *.old, *.orig — Editor backup files

Debug and Development Files

phpinfo.php — Full PHP configuration including environment variables
debug.log, error.log — Application logs with stack traces
.DS_Store — macOS directory metadata revealing file structure
Thumbs.db — Windows thumbnail cache

How Attackers Find Sensitive Files

Attackers use automated tools, directory traversal techniques, and brute-forcing to check common file paths on every website they scan:

URL brute-forcing and directory traversal: Testing thousands of known file paths like /.env, /.git/HEAD, /backup.sql
Google dorking: Using search operators like site:example.com filetype:sql
Directory listing: If enabled, browsing entire directory structures
Wayback Machine: Finding files that were once accessible but since removed
GitHub search: Finding accidentally committed secrets in public repositories

How to Protect Sensitive Files

1. Block Access at the Web Server Level

Nginx:

# Block dotfiles (except .well-known)
location ~ /\.(?!well-known) {
  deny all;
  return 404;
}

# Block backup files
location ~* \.(bak|sql|log|old|orig|swp|swo)$ {
  deny all;
  return 404;
}

Apache (.htaccess):

# Block dotfiles
<FilesMatch "^\.">
  Require all denied
</FilesMatch>

# Block sensitive extensions
<FilesMatch "\.(bak|sql|log|env|git)$">
  Require all denied
</FilesMatch>

2. Store Secrets Outside the Web Root

Never place configuration files in your public web directory. Use environment variables or files outside the document root:

# Good: environment variable
DATABASE_URL=postgresql://user:pass@localhost/db

# Bad: config file in web root
/var/www/html/config.php  <-- accessible as https://example.com/config.php

3. Use .gitignore Properly

# .gitignore
.env
.env.*
*.sql
*.bak
*.log
node_modules/
.DS_Store

4. Disable Directory Listing

# Nginx
autoindex off;

# Apache
Options -Indexes

Automated Detection

Manual checking is insufficient — there are hundreds of possible sensitive file paths. SecScanner's Sensitive Files Exposure check automatically tests for all common sensitive file paths and reports any that are publicly accessible. Run a scan to discover files you didn't know were exposed.

Sensitive Files Protection Checklist

Block access to all dotfiles (.env, .git, .htaccess) at the server level
Remove or restrict backup files (.bak, .sql, .zip, .tar.gz)
Ensure .git directory is not accessible from the web
Disable directory listing on all directories
Move secrets to environment variables outside the web root
Audit your .gitignore for sensitive file patterns
Check for debug files (phpinfo.php, debug.log)
Run a SecScanner scan to detect exposed sensitive files

Sensitive file exposure is one of the easiest vulnerabilities to exploit and one of the most damaging. A single exposed .env file can compromise your entire infrastructure. Regular scanning and proper server configuration are your best defense.

What Are Sensitive Files?

Sensitive files are any server-side files that should never be publicly accessible. They typically contain:

Credentials: Database passwords, API keys, secret tokens
Configuration: Server settings, internal IP addresses, debug flags
Source code: Application logic, business rules, proprietary algorithms
Backups: Database dumps, compressed archives of the application
Version control: Git history containing commit history and past secrets

Most Commonly Exposed Files

Environment and Configuration Files

.env — Environment variables with database URLs, API keys, secrets
.env.local, .env.production — Environment-specific variants
config.php, config.yml — Application configuration
wp-config.php — WordPress database credentials
settings.py — Django settings with SECRET_KEY
application.properties — Spring Boot configuration

Version Control Files

.git/ — Entire Git repository including history and credentials
.git/config — Remote repository URLs (may contain tokens)
.svn/ — Subversion metadata
.hg/ — Mercurial repository data

Backup and Archive Files

backup.sql, dump.sql — Database backups with all data
backup.zip, backup.tar.gz — Compressed application backups
*.bak, *.old, *.orig — Editor backup files

Debug and Development Files

phpinfo.php — Full PHP configuration including environment variables
debug.log, error.log — Application logs with stack traces
.DS_Store — macOS directory metadata revealing file structure
Thumbs.db — Windows thumbnail cache

How Attackers Find Sensitive Files

Attackers use automated tools, directory traversal techniques, and brute-forcing to check common file paths on every website they scan:

URL brute-forcing and directory traversal: Testing thousands of known file paths like /.env, /.git/HEAD, /backup.sql
Google dorking: Using search operators like site:example.com filetype:sql
Directory listing: If enabled, browsing entire directory structures
Wayback Machine: Finding files that were once accessible but since removed
GitHub search: Finding accidentally committed secrets in public repositories

How to Protect Sensitive Files

1. Block Access at the Web Server Level

Nginx:

# Block dotfiles (except .well-known)
location ~ /\.(?!well-known) {
  deny all;
  return 404;
}

# Block backup files
location ~* \.(bak|sql|log|old|orig|swp|swo)$ {
  deny all;
  return 404;
}

Apache (.htaccess):

# Block dotfiles
<FilesMatch "^\.">
  Require all denied
</FilesMatch>

# Block sensitive extensions
<FilesMatch "\.(bak|sql|log|env|git)$">
  Require all denied
</FilesMatch>

2. Store Secrets Outside the Web Root

Never place configuration files in your public web directory. Use environment variables or files outside the document root:

# Good: environment variable
DATABASE_URL=postgresql://user:pass@localhost/db

# Bad: config file in web root
/var/www/html/config.php  <-- accessible as https://example.com/config.php

3. Use .gitignore Properly

# .gitignore
.env
.env.*
*.sql
*.bak
*.log
node_modules/
.DS_Store

4. Disable Directory Listing

# Nginx
autoindex off;

# Apache
Options -Indexes

Automated Detection

Sensitive Files Protection Checklist

Block access to all dotfiles (.env, .git, .htaccess) at the server level
Remove or restrict backup files (.bak, .sql, .zip, .tar.gz)
Ensure .git directory is not accessible from the web
Disable directory listing on all directories
Move secrets to environment variables outside the web root
Audit your .gitignore for sensitive file patterns
Check for debug files (phpinfo.php, debug.log)
Run a SecScanner scan to detect exposed sensitive files

Sensitive File Exposure: Hidden Dangers Lurking on Your Web Server

What Are Sensitive Files?

Most Commonly Exposed Files

Environment and Configuration Files

Version Control Files

Backup and Archive Files

Debug and Development Files

How Attackers Find Sensitive Files

How to Protect Sensitive Files

1. Block Access at the Web Server Level

2. Store Secrets Outside the Web Root

3. Use .gitignore Properly

4. Disable Directory Listing

Automated Detection

Sensitive Files Protection Checklist

Related Articles

Server Information Disclosure: Why Hiding Your Tech Stack Matters

Getting Started with Website Security: A Practical Guide

Security.txt: Set Up Responsible Vulnerability Disclosure (RFC 9116)

Check Your Website Security

Sensitive File Exposure: Hidden Dangers Lurking on Your Web Server

What Are Sensitive Files?

Most Commonly Exposed Files

Environment and Configuration Files

Version Control Files

Backup and Archive Files

Debug and Development Files

How Attackers Find Sensitive Files

How to Protect Sensitive Files

1. Block Access at the Web Server Level

2. Store Secrets Outside the Web Root

3. Use .gitignore Properly

4. Disable Directory Listing

Automated Detection

Sensitive Files Protection Checklist

Related Articles

Server Information Disclosure: Why Hiding Your Tech Stack Matters

Getting Started with Website Security: A Practical Guide

Security.txt: Set Up Responsible Vulnerability Disclosure (RFC 9116)

Check Your Website Security