// SECURITY GUIDE · MISCONFIGURATIONS
Misconfigurations

// WHAT IT IS
Misconfigurations are accidental exposures — files or directories that should never be public but are. They're responsible for a huge share of real-world breaches. A single exposed .env file can contain database passwords, API keys, and encryption secrets.
// WHAT WE CHECK
[CRITICAL]/.git/HEAD: Your entire source code history can be reconstructed from an exposed .git directory. Attackers use tools like git-dumper to extract every commit.
[CRITICAL]/.env: Environment files contain database URLs, API keys, JWT secrets. Exposing this is an immediate full compromise.
[CRITICAL]/phpmyadmin: Database admin UI exposed to the internet. Brute-forced in hours.
[MEDIUM]/wp-admin: WordPress admin. Should be restricted by IP if possible.
[HIGH]Directory listing: Server returns a file listing instead of 403. Exposes your entire file structure.
// HOW TO FIX: NGINX
# Block .git and .env
location ~ /\.git { deny all; return 404; }
location ~ /\.env { deny all; return 404; }

# Disable directory listing
autoindex off;
// HOW TO FIX: VERCEL / NEXT.JS
On Vercel, .git and .env are never served — the platform handles it. For self-hosted deployments, use the nginx rules above or configure your .htaccess for Apache.
→ SCAN YOUR SITE NOW