What it is
Directories with no index file return an auto-generated, browsable listing of every file inside.
How attackers abuse it
A sensitive file or endpoint is served publicly (.env, .git, backups, source maps, debug pages). One exposed file can hand over every secret or your full source at once.
Attacker playbook
- 1Request common sensitive paths directly in the browser.
- 2If one returns content, download it.
- 3Read the secrets or source it reveals and use them to go further.
How VibeSec detects and confirms it
VibeSec checks for this with a passive, read-only scan that is safe to run on any site. We use VibeSec native and Nikto and base the finding only on what your site already exposes publicly.
VibeSec nativeNikto
If this is in your report: how to fix it
- Remove sensitive files from anything web-served and rotate any secrets they held.
- Block access to dotfiles, version-control folders, and backups at the server or host.
- Do not ship source maps or debug endpoints to production unless you mean to.
Check your site for this
Run a scan and see whether this affects you, in plain language with copy-paste fixes.
Scan your site for free// related capabilities