Free tool
Free Exposed Files Checker
Find .env, .git, and other sensitive files before attackers do.
Free. No account. Results in under 60 seconds.
What it checks
Every check, explained
- 01.env, .env.local, .env.production — secrets in plain text
- 02.git/HEAD, .git/config — full source history leak
- 03Source maps (.js.map) — original code exposed
- 04/config.json, /credentials.json — common leak paths
- 05/backup.zip, /.DS_Store — accidental uploads
Why it matters
Why you should care
Attackers run automated scanners against every new domain within hours of it going live, testing for known leak paths. If any of these files are reachable, someone has already found them. This is a check you want to pass on day one.
How it works
What happens when you paste a URL
We send HEAD requests to 20+ common leak paths and check whether they return a 200 response with meaningful content. We do not read or exfiltrate file contents — only the HTTP status code.
FAQ
Frequently asked questions
- Does 200 OK mean the file is truly exposed?
- Not always — some sites return 200 with an HTML error page for any path. We check Content-Type and body length to filter out these false positives.
- Should I block these paths at the CDN level?
- Sure, but the real fix is to not deploy them in the first place. A CDN rule is a safety net, not a cure.
Fix guides
If this check fails, here is what to do
Exposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreExposed .git directory
An exposed .git directory lets attackers download your entire source history, including deleted secrets. Here is how to check and fix it.
Read moreExposed source maps
Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.
Read moreExposed Next.js build files
Build artifacts like .next directory, BUILD_ID, or server-side bundles should not be publicly reachable. Here is how to lock them down.
Read moreMore free tools