By default, some web servers (like older versions of Apache) will display a list of all files in a directory if a default "index" file (like index.html or index.php ) is missing. If a developer or administrator leaves a file named password.txt or passwords.csv in such a folder, anyone with a search engine can find and read it.
: Add Options -Indexes to your Apache configuration or .htaccess file . Nginx : Set autoindex off; in your Nginx configuration .
A fast-growing fintech startup stored all AWS root keys in a file called production_passwords.txt inside their public-facing marketing site’s /backup_old/ folder. A security researcher found the file via an "index of" link and reported it. By the time the company reacted, an automated bot had already used the keys to spin up $500,000 worth of cryptocurrency mining servers. index of passwordtxt link
:Add the following directive to your configuration file to turn off indexing globally or for specific folders: Options -Indexes Use code with caution.
You must configure your web server to reject requests for folder contents. By default, some web servers (like older versions
Whether you want help setting up an Share public link
Turn off the server's ability to display file directories to the public. Nginx : Set autoindex off; in your Nginx configuration
Index of /backup [ICO] Name Last modified Size [DIR] old/ 2024-01-15 - [TXT] password.txt 2024-01-10 1.2KB
Thus, the keyword is just one example of a broader class of sensitive file exposures.
A failure to properly protect sensitive files with a .htaccess rule can leave them public. Risks of Exposed Password Files