Exposure · Check
Sensitive files exposed (.env, .git, backups) — locking down the web root
When `.env`, `.git/config`, database dumps, or backup archives are reachable over HTTP, they almost always contain credentials — API keys, database passwords, or signing secrets — that lead directly to full compromise. Mass scanners hit thousands of common paths per second; a single hit is enough.
Why it matters
The fix is layered: keep secrets out of the web root entirely, rotate any credentials that may have been exposed, and add edge rules to block the common patterns (`.env`, `.git`, `.bak`, `~`, `wp-config.php.bak`) so future leaks fail fast.
Real-world risk
Publicly reachable .env, backups, or repo metadata often leads to credential theft and full compromise.
Fix steps (in order)
- Remove files from the web root; block paths at the edge; never commit secrets.
- Rotate any credentials that may have been exposed.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (sensitive_path_probe) clears once the externally-observable signal is in place.