Critical
KVKK m.12
GDPR Art. 32
ISO 27001 A.8.9
Remove exposed .git, .env and backup files
A reachable .git directory, .env file, or database backup hands attackers your source code, credentials and secrets.
Why it matters
These are among the most damaging findings possible: a public .env leaks API keys and database passwords; an exposed .git lets an attacker reconstruct your entire codebase. It turns a reconnaissance scan into a full compromise.
How to fix it
Keep secrets and VCS metadata out of the web root, block dotfiles and backup extensions at the server, and rotate any credential that was ever exposed — assume it is compromised.
# nginx: block sensitive paths
location ~ /\.(git|env|svn) { deny all; return 404; }
location ~* \.(sql|bak|old|zip)$ { deny all; return 404; }
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Disable directory listing
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.