// exposed file checker
Find sensitive files your site is serving by accident, like .env, .git and database backups.
Scan your site for freeFree scan. See the count and severity before you pay.
A surprising number of sites accidentally serve files that were never meant to be public. An exposed .env file hands over every secret at once. An exposed .git folder lets anyone download your source. VibeSec checks for these with read-only requests and tells you what to remove.
A single exposed .env file usually contains database passwords, API keys, and signing secrets. With it, an attacker does not need to find a clever bug, they just read your secrets and walk in. That is why it is worth checking.
We send read-only GET requests to a list of known sensitive paths. If one returns content instead of a not-found, that is a finding. We never modify anything, and the check is safe to run on your own site.
Paste your site address. The free scan is passive and read-only, so it is safe to run.
VibeSec requests a list of common sensitive paths with safe read-only GETs and reports any that are served publicly.
See what was found, why it matters, and copy-paste steps to fix it. No security background needed.
No. We only send normal read-only GET requests for common paths, the same thing any browser does. Nothing is modified or exploited.
Remove the file from your public directory, rotate every secret it contained, and add it to your ignore rules so it is never deployed again. VibeSec lists the exact steps.
It usually happens when a whole project folder is deployed as-is. Anyone can then reconstruct your source code. We check for this and tell you how to block it.
// related scanners
The free scan shows the count and severity. Upgrade to see every finding with copy-paste remediation.
Scan your site for free