Configuration Files Exposed
What This Means
This finding indicates that one or more configuration files are publicly accessible.
These files may contain sensitive information about your site.
Why It Matters
Configuration files often include critical details such as:
- database credentials
- API keys
- application settings
- internal paths
If exposed, attackers may use this information to:
How Steel Security Detects This
Steel Security checks for common configuration files that should not be accessible via a browser.
This may include:
- backup copies of configuration files
- misnamed or duplicated config files
- files stored in publicly accessible locations
If a file can be accessed directly, it is flagged.
How to Fix It
To resolve this issue:
- restrict access to configuration files using server rules
- remove unnecessary or duplicate configuration files
- ensure sensitive files are not stored in public directories
You may also use Steel Security hardening controls related to file protection.
What to Expect After Fixing
After applying protections:
- configuration files will no longer be accessible via browser
- requests to these files should return an error (e.g., 403 Forbidden)
- sensitive data will be better protected
How to Verify
To verify the fix:
- attempt to access the file via its URL
- confirm that access is denied
Ensure that:
- the file is no longer publicly accessible
- your site continues to function normally
Common Causes
- leftover backup files (e.g.,
.bak,.old,.zip) - misconfigured server rules
- manual file uploads to public directories
Best Practices
- never store sensitive files in publicly accessible locations
- remove unused or outdated configuration files
- apply server-level access restrictions
- review file structure regularly