The files you forgot you deployed
The .env, the backup, the .git folder anyone can download with a URL.
Can anyone download your .env file? (Type the URL and find out)
A public .env hands a stranger your database password, API keys, and secrets in one request. How it leaks, how to check, and how to shut it.
Is your .git folder public? Strangers can rebuild your source from it
A public .git directory lets anyone clone your full source history, secrets and all. How it leaks, what attackers pull, and the one-line fix.
Why a leftover backup.sql is the worst file on your server
A forgotten backup.sql in your web root is every customer record in one download. Why it happens, what's in it, and how to find it before a bot does.
WordPress backup and config files attackers check first
Bots hit wp-config.php.bak and debug.log minutes after a WordPress site goes live. What those files leak and how to lock them down.
Is your directory listing turned on without you knowing?
An open /uploads/ index lists every file you never linked. Why directory listing turns on by accident and how to check it from outside.
Your S3 bucket says "public." Did you mean that?
Public on an S3 bucket can mean publicly listable, file by file. What ListBucket exposes, why it happens, and how to check from outside.
Spring Boot Actuator: the /actuator endpoints that dump your secrets
An exposed /actuator/env or /heapdump on a Spring Boot app hands a stranger your config and a memory dump full of live keys. What each endpoint leaks, and how to lock it.
terraform.tfstate, .aws/credentials, sftp.json: the infra files in your web root
A public terraform.tfstate or .aws/credentials hands a stranger your whole cloud. The deploy and infra config files that end up downloadable, and how to check.
Is your SSH private key downloadable from your own website?
A public id_rsa or .htpasswd file is a direct login to your server. How private keys end up in the web root, what a stranger does with one, and how to check in seconds.
phpinfo.php, server-status, .DS_Store: the small leaks that map your server
A public phpinfo.php or /server-status hands an attacker a full map of your stack. The low-severity files that add up to reconnaissance, and how to find them.
A public .svn folder rebuilds your source the same way a .git one does
Subversion leaves a .svn directory that exposes your source history just like .git. How a public .svn/wc.db lets a stranger reconstruct your code, and the fix.
Is your TLS private key downloadable? (It's the one file that undoes HTTPS)
A public server.key or privkey.pem hands a stranger the private half of your TLS certificate, the secret that proves a server is really you. How it leaks, what it lets an attacker do, and how to check.
nginx.conf, .user.ini, authorized_keys: the config files that map your server for free
Web-server configs, PHP runtime files, IDE datasource configs, and SSH key lists don't hold passwords, but downloadable they hand an attacker your internal layout. The low-severity files that add up to a map.
Your Next.js or Cloudflare Pages build output is leaking secrets it was never meant to serve
A mis-served .next manifest hands over your env block and a key to forge preview cookies. A _worker.js.map de-minifies your server code. A _redirects file can hide an API key in plain sight. The modern-framework build leaks, explained.
A downloadable keystore.jks or site-backup.zip is your whole app in one file
A Java keystore holds the private keys for your TLS and signing. A backup archive is the entire site, source and secrets, zipped. Both end up downloadable, and both are found by their first few bytes, not their name.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.