All guides
Critical KVKK m.12 GDPR Art. 32 ISO 27001 A.8.9

Remove exposed .git, .env and backup files

A reachable .git directory, .env file, or database backup hands attackers your source code, credentials and secrets.

Why it matters

These are among the most damaging findings possible: a public .env leaks API keys and database passwords; an exposed .git lets an attacker reconstruct your entire codebase. It turns a reconnaissance scan into a full compromise.

How to fix it

Keep secrets and VCS metadata out of the web root, block dotfiles and backup extensions at the server, and rotate any credential that was ever exposed — assume it is compromised.

# nginx: block sensitive paths
location ~ /\.(git|env|svn) { deny all; return 404; }
location ~* \.(sql|bak|old|zip)$ { deny all; return 404; }

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.