Free Exposed Files & Directory Checker
Check whether a website is leaking sensitive files — exposed .git and .env files, database/archive backups, configuration files and diagnostics like server-status and phpinfo that hand attackers credentials and source code.
By scanning, you confirm you own or have permission to test this domain. Not a substitute for manual penetration testing.
What this exposed files checker checks
How it works
Read-only· GET requests to known paths, no payloads- 1We request ~30 well-known sensitive paths (.git/.env, backups, config, server-status, phpinfo, cloud creds, CI files, /actuator, /metrics and more) with plain GETs.
- 2First we calibrate the site’s "page not found" response, then validate each hit by content signature — so a soft-404 page is not mistaken for a real file.
- 3For an exposed .git we additionally check whether the repository is dumpable (source-reconstruction risk).
What it doesn’t do: These are read-only existence checks on standard paths — no fuzzing, brute-forcing or payloads.
Why it matters
A single exposed .env or .git directory can leak database passwords, API keys and your entire source code. These are among the highest-impact, lowest-effort findings attackers scan the internet for — and they are trivial to fix once you know.
Frequently asked questions
Is the exposed-files checker free?
Yes — sensitive-file exposure is checked as part of the free ONEROXE recon scan, with no account required.
Why is an exposed .git folder dangerous?
An exposed .git directory often lets anyone reconstruct your full source code — including secrets committed to history — which can lead directly to compromise.
The scan flagged a file — what now?
Remove public access to it immediately, rotate any secrets it may have exposed, and add deny rules so similar paths are never served.