← All help articles

Exposed-paths scanner — common findings and fixes

The exposed-paths module probes your web server for files and endpoints that should not be publicly reachable.

What we check

A curated list of about 200 paths, including:

  • .git/, .svn/, .hg/ — version-control internals; expose source code.
  • .env, .env.local, .env.production — environment files; expose secrets.
  • wp-config.php.bak, web.config.bak — backup configs.
  • /admin, /phpmyadmin, /wp-admin/ — administrative panels (we do not log in; we only verify the panel is reachable).
  • /server-status, /server-info — Apache/nginx info pages.
  • /.DS_Store, Thumbs.db — OS metadata that leaks file structure.
  • /composer.lock, /package-lock.json (in production) — leak dependency versions.
  • /swagger-ui/, /graphql — API surfaces that should usually be private.

What we do not do

  • We do not attempt to log in.
  • We do not exploit findings.
  • We do not crawl beyond the listed paths.

What to do

Each finding includes:

  • The exact path probed.
  • The HTTP status returned (200 = exposed; 403/404 = safe).
  • The plain-English risk: "Anyone can download your .env file and read your AWS keys."
  • The fix: a one-line nginx / Apache rule blocking the path.

Frequency

Daily.

Exposed-paths scanner — common findings and fixes — Help — NoDowntimeShield · NoDowntimeShield