What kinds of files does it flag?

It flags exposed version-control folders (.git, .svn), secret files (.env, config.php, id_rsa), database backups (backup.sql, dump.sql.gz), and risky admin or debug endpoints. Each match carries a short reason explaining the danger.

Does it actually fetch the URLs?

No. It only matches the text of the paths you paste against known risky patterns. It never makes a network request, so nothing about your server is sent anywhere and no live probing happens.

Why is an exposed .git folder critical?

A web-readable .git directory lets an attacker reconstruct your full source tree, including hardcoded credentials and prior versions of files you thought you deleted. It is one of the most damaging and most common exposures.

What does the severity rating mean?

Critical means immediate credential or source-code exposure, high means likely data or config leakage, and medium means an endpoint that aids reconnaissance or attack. Treat critical and high as fix-now items.

Is a passing result a guarantee?

No. The tool only knows the patterns it ships with and only sees the paths you paste. A clean result means none of those well-known exposures appeared, not that your server is fully secure.

Sensitive File Path Exposure Checker

Web servers leak more than people expect. A misconfigured location block, a forgotten git pull on production, or a database dump left in the web root can hand an attacker your secrets in seconds. This checker takes a pasted list of server paths or URLs — from a sitemap, a crawl, or your own config — and flags the ones that match well-known sensitive-exposure patterns, rating each by severity so you know what to fix first.

How it works

Each line you paste is normalised (lowercased, query string and host stripped) and tested against a bundled table of risk patterns. The table groups exposures into three tiers:

Critical — direct source or secret exposure: .git/, .env, id_rsa, wp-config.php, *.sql backups, .htpasswd.
High — config and infrastructure leakage: docker-compose.yml, .npmrc, web.config, phpinfo.php, .DS_Store.
Medium — reconnaissance aids: exposed /admin, /.well-known/security.txt misuse, *.bak, *.log, /server-status.

A path is flagged on the first matching rule, and the tool reports the matched pattern, its tier, and a one-line reason. Matching is purely string/regex based and runs entirely in your browser.

Example

Paste these lines:

/.git/config
/static/app.css
/db/backup.sql.gz
/wp-config.php.bak

The checker flags /.git/config (critical — full repo reconstruction), /db/backup.sql.gz (critical — database dump), and /wp-config.php.bak (critical — editor backup of a secrets file). /static/app.css is left clean.

Tips

Run your live sitemap and a find . -type f of your web root through this before every release.
The most dangerous exposures are usually accidental: editor backups (~, .bak, .swp), VCS folders, and dumps. Block them at the server, not just by deleting the file.
A clean result is a floor, not a ceiling — pair this with a real vulnerability scanner and an authenticated config review.