Directory Listing
Checks for exposed directory listings at common paths (/.git, /.env, /admin, etc.).
What this check measures
We try fetching a list of sensitive paths: `/.git/config`, `/.env`, `/admin`, `/wp-admin`, `/backup.zip`, etc. Any 200 response that shouldn't be public is a critical finding.
Why it matters
Exposed `.git` or `.env` files leak source code and secrets. Exposed admin panels invite brute-force attacks. Exposed backup files hand attackers your whole database. These are game-over findings.
How our audit detects it
HEAD + GET a list of ~40 common sensitive paths. Detect 200 responses that return actual content (not soft-404).
Typical findings
- error_outline/.env returns the .env file content including secrets.
- error_outline/.git/config exposes the repo URL; attackers then dump full source.
- error_outline/phpmyadmin open to the internet.
- error_outline/admin returns 200 with an unauthenticated admin dashboard.
How to fix
Block these paths at the server/CDN level. Never deploy `.git` or `.env` — add to `.gitignore` and deployment `.dockerignore`. Admin paths should be behind auth and ideally not at a guessable URL.
Frequently asked questions
How do attackers find these?expand_more
Want this checked on your site?
Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.
Scan my siteRelated checks
HTTPS Enabled
Checks that the site serves over HTTPS and redirects HTTP to HTTPS.
SecurityTLS Version
Checks that the server uses TLS 1.2 or higher — older versions are broken.
SecurityMixed Content
Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.
SecuritySSL Certificate
Checks that the SSL certificate is valid, not expired, and not expiring soon.