Security8 min readMay 4, 2026

Exposed files and configuration leaks: a field guide

A practical guide to the most common exposure findings VibeLeak surfaces, with specific remediation steps for each file type.

Environment

.env files are the single most dangerous exposure

A public .env file often contains database URLs, API keys, and secrets. If it is reachable without authentication, assume it has been read.

Immediate action

If VibeLeak flags a public .env file, rotate every secret referenced in it immediately. Do not just delete the file — assume it was already accessed.

Block .env, .env.local, .env.production, and similar files at the web server level.
Add them to .gitignore if they were accidentally committed.
Rotate all keys and tokens that appeared in the exposed file.

Version control

A public .git folder is a source code leak

The .git folder contains the entire project history. Attackers can reconstruct the repository, read deleted secrets, and map the application structure.

Quick fix

Add a server rule that blocks access to any path ending in /.git/. In nginx: location ~ /\.git { deny all; }. In Apache: RedirectMatch 404 /\.git.

Backup files and archives should never be public

.zip, .tar.gz, .sql, and .bak files are often left behind during deployments. They may contain full database dumps or source snapshots.

Search the public root for any archive or backup file extensions.
Remove them from the server entirely, not just from the index.
Add deployment checks that fail the build if archives are present.

Packages

.npmrc and similar config files expose registry credentials

Package manager config files sometimes contain auth tokens for private registries. Exposing them gives attackers access to your internal packages.

Fix

Store registry tokens in CI environment variables, not in repo config files. Block .npmrc, .yarnrc, and .pnpmfile from public access.

Cloud

Cloud provider config files reveal infrastructure details

Files like firebase.json, aws-config, or supabase config expose project IDs, regions, and sometimes keys. These are valuable reconnaissance targets.

Audit the public root for any cloud provider config files.
Move configuration into environment variables or secure config services.
Review cloud console access logs for unusual activity.

Remediation

The cleanup process should be systematic

Fixing exposures is not just about deleting files. It is about confirming what was exposed, rotating affected secrets, and preventing recurrence.

Identify everything exposed

Use the VibeLeak findings list to catalog every public file and its contents.

Rotate all affected secrets

Assume any key, token, or credential in an exposed file is compromised.

Block access at the server level

Add rules to nginx, Apache, or your CDN that prevent public access to sensitive paths.

Add pre-deployment checks

Fail the build if scans detect exposed files before code reaches production.

Next action

Run the scanner against your own site

The article lands hardest when it turns into a fix list. Scan, close the gaps, and recheck.

Start scan

More field notes

Back to blog Top

Launch Ops

The Small Business Trust Checklist: 10 Things Customers Check Before Buying

Before a customer buys from you, they run a mental checklist. Most of it happens in under 30 seconds. Here are the 10 signals that decide whether they stay — and how to verify each one.

Open article

Security

Why Your 'Secure' Badge Might Be Lying to Your Customers

Security seals can help, but a badge image is not proof by itself. Here is what common trust signals actually verify, what they leave out, and what real domain-bound proof looks like.

Open article

Security

I Got Duped by a Fake Supplier. Here's the 5-Minute Check I Do Now.

A real story about getting burned by a convincing supplier clone — and the exact five-minute verification checklist I built afterward so it never happens again.

Open article