Security8 min readMay 4, 2026

Exposed files and configuration leaks: a field guide

A practical guide to the most common exposure findings VibeLeak surfaces, with specific remediation steps for each file type.

Environment

.env files are the single most dangerous exposure

A public .env file often contains database URLs, API keys, and secrets. If it is reachable without authentication, assume it has been read.

Immediate action

If VibeLeak flags a public .env file, rotate every secret referenced in it immediately. Do not just delete the file — assume it was already accessed.

Block .env, .env.local, .env.production, and similar files at the web server level.
Add them to .gitignore if they were accidentally committed.
Rotate all keys and tokens that appeared in the exposed file.

Version control

A public .git folder is a source code leak

The .git folder contains the entire project history. Attackers can reconstruct the repository, read deleted secrets, and map the application structure.

Quick fix

Add a server rule that blocks access to any path ending in /.git/. In nginx: location ~ /\.git { deny all; }. In Apache: RedirectMatch 404 /\.git.

Backup files and archives should never be public

.zip, .tar.gz, .sql, and .bak files are often left behind during deployments. They may contain full database dumps or source snapshots.

Search the public root for any archive or backup file extensions.
Remove them from the server entirely, not just from the index.
Add deployment checks that fail the build if archives are present.

Packages

.npmrc and similar config files expose registry credentials

Package manager config files sometimes contain auth tokens for private registries. Exposing them gives attackers access to your internal packages.

Fix

Store registry tokens in CI environment variables, not in repo config files. Block .npmrc, .yarnrc, and .pnpmfile from public access.

Cloud

Cloud provider config files reveal infrastructure details

Files like firebase.json, aws-config, or supabase config expose project IDs, regions, and sometimes keys. These are valuable reconnaissance targets.

Audit the public root for any cloud provider config files.
Move configuration into environment variables or secure config services.
Review cloud console access logs for unusual activity.

Remediation

The cleanup process should be systematic

Fixing exposures is not just about deleting files. It is about confirming what was exposed, rotating affected secrets, and preventing recurrence.

Identify everything exposed

Use the VibeLeak findings list to catalog every public file and its contents.

Rotate all affected secrets

Assume any key, token, or credential in an exposed file is compromised.

Block access at the server level

Add rules to nginx, Apache, or your CDN that prevent public access to sensitive paths.

Add pre-deployment checks

Fail the build if scans detect exposed files before code reaches production.

Next action

Run the scanner against your own site

The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

Start scan

More field notes

Back to blog Top

Security

Is VibeLeak safe to use? Report privacy, logs, and exports explained

A plain-English look at how VibeLeak scans public sites safely, what gets stored, who can see reports, and why full findings and Markdown exports stay owner-only.

Open article

Security

We Scanned the Moz Top 500. Even the Internet's Giants Are Missing the Basics.

VibeLeak ran its full trust surface scan against the Moz Top 500 most popular websites. This historical corpus still shows how common basic web security gaps are.

Open article

Workflow

How to read a VibeLeak scan result

A VibeLeak scan returns a grade, a list of findings, and a percentile rank. Here is how to read each piece so you know what to fix first.

Open article