StackShield

Sensitive Laravel Files

Easy

Checks for exposed sensitive Laravel files (.git, logs, config).

Estimated fix time: 10 minutes

What are Sensitive Files?

Laravel applications contain files that should never be publicly accessible, including .git directories, log files, configuration files, and dependency manifests. These files can expose source code, credentials, and application structure.

Security Impact

Severity: High to Critical

  • Source code exposure via .git
  • Credential theft from logs
  • Application structure revealed
  • Version information disclosed
  • Vulnerability reconnaissance enabled

Sensitive Files to Protect

  • .git/ - Complete source code history
  • storage/logs/ - May contain credentials, user data
  • composer.json, composer.lock - Dependency versions
  • package.json, package-lock.json - Frontend dependencies
  • .env.example - Configuration structure
  • phpunit.xml - Test configuration
  • README.md, CHANGELOG.md - Application details

How to Fix

Nginx Configuration

# Block access to hidden files and directories
location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
    return 404;
}

# Block access to sensitive Laravel files
location ~* (composer\.json|composer\.lock|package\.json|package-lock\.json|phpunit\.xml|\.env\.example|README\.md)$ {
    deny all;
    return 404;
}

# Block log files
location ~* /storage/logs/ {
    deny all;
    return 404;
}

Apache Configuration

# .htaccess
# Block .git directory
<DirectoryMatch "^/.*/\.git/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

# Block sensitive files
<FilesMatch "(^composer\.(json|lock)|^package(-lock)?\.json|^phpunit\.xml|^\.env\.example|^README\.md|^CHANGELOG\.md)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block log files
<DirectoryMatch "^/.*/storage/logs/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

Remove .git in Production

# In deployment script
rm -rf .git

Proper File Permissions

# Restrictive permissions
chmod 755 /var/www/html
chmod -R 644 /var/www/html/storage/logs
chmod -R 755 /var/www/html/storage
chown -R www-data:www-data /var/www/html

Verification Steps

  1. Try accessing https://yourdomain.com/.git/config - should return 404
  2. Try https://yourdomain.com/storage/logs/laravel.log - should be blocked
  3. Try https://yourdomain.com/composer.json - should return 404
  4. Check file permissions with ls -la
  5. Use security scanner to verify

Complete Protection List

# Comprehensive nginx configuration
location ~ /\.(git|svn|hg|bzr)/ {
    deny all;
    return 404;
}

location ~* \.(env|env\.example|gitignore|gitattributes)$ {
    deny all;
    return 404;
}

location ~* (composer\.(json|lock)|package(-lock)?\.json|phpunit\.xml|webpack\.mix\.js|artisan)$ {
    deny all;
    return 404;
}

location ~ ^/(storage|bootstrap|database|resources|routes|tests)/ {
    deny all;
    return 404;
}

Automated Checks

# Check for exposed .git
curl -I https://yourdomain.com/.git/config

# Check for exposed logs
curl -I https://yourdomain.com/storage/logs/laravel.log

# Check for composer.json
curl -I https://yourdomain.com/composer.json
  • Exposed .env Files
  • Directory Listing
  • .git Directory Exposure

Automatically detect this issue

StackShield can automatically scan your Laravel application for this security issue and alert you when it's detected.

Start Free Trial
Was this guide helpful?

Related Security Issues

Exposed .env Files

Checks if .env files are publicly accessible.

Easy

Directory & File Exposure

Scans for publicly accessible sensitive files (logs, .git).

Easy

Learn More