methodology / Security & Infrastructure / #7
Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)
#7 · Required · Web Standards · security · Security & Infrastructure · weight 2% · impl implemented · method v1.2.0
Web Standards item — Security
This factor is part of Web Standards — the table-stakes binary layer of the score. It is graded pass/fail and gates the Web Quality score; it is not weighted into Web Quality itself.
- Pass criteria
- Strict — passes only on pass.
- Web Standards label
- No exposed sensitive paths
- Why it's required
- /.git, /.env, exposed /admin, or readable wp-config.php means credentials and source code are leaking. This is a vulnerability, not a polish issue.
What this means for your business
Things like login pages, admin panels, and developer files should never be reachable by a stranger typing a guess into their browser. When they are, they become the front door for an attack.
Plain title: Private files aren't open to the public
What we measure
Some files and URL paths should never be reachable from the public internet — like `.git/config`, `.env`, or legacy WordPress endpoints. Each one that responds publicly is a separate attack surface.
How to improve your score
Configure web server to deny access to these paths. For WordPress: block `xmlrpc.php` if not used, restrict `/wp-admin` and `/wp-login.php` by IP, never deploy `.git/` or `.env` files to public directories.
Implementation
stale · v1 · seeded — no connector publish yet · source: freshcoat-discovery/src/connectors/legacy-audit.ts:scoreSensitivePaths
Detection method
Reads upstream `common_paths` map (probes /wp-admin, /wp-login.php, /xmlrpc.php, /admin, /.git, /.env, /phpMyAdmin). Any 200 status flagged as a finding. Then a body verifier re-fetches each upstream-200 with redirect:manual — if the path 3xxs to elsewhere, drop the finding (it isn't actually serving sensitive content).
Detection sources
- Audit endpoint's common-path status map
- Verifier re-fetch of each 200 path (redirect:manual + body inspection)
Scoring bands · strict ladder
| Score | Condition |
|---|---|
| 100 | no sensitive paths returned 2xx |
| 0 | ≥1 path returned 200 with body matching real-exposure markers (login form, .env content, .git index) |
| n/a | verifier inconclusive (kept upstream finding) |
Evidence-key dictionary
What every notes string the connector emits means.
Surfaces in the per-domain dossier evidence column.
clean- No sensitive paths returned 2xx.
clean_after_verifier_dropped_N- N upstream-200 findings dropped after the verifier confirmed they 3xx or render a 404 page.
N_exposed_M_filtered- N real exposures kept, M dropped by verifier.
Applicability
Always applies — vulnerability factor on the strict ladder. False positives previously dropped composites by 25-75 points; the verifier (added Apr 28) catches SPA catch-all 404s and 3xx redirects.
Changelog
- 2026-04-29 · seed Initial seed from MethodologyRegistry bootstrap.
Facts
Scoring
Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Version history
| Version | Change | Date |
|---|---|---|
| v1.2.0 | Factor introduced. Status: live. Scoring impl: implemented. | 2026-04-25 |