Free Exposed Files Scanner
Check whether your site accidentally exposes .env, .git/config, backup archives, or other high-risk files.
Frequently asked
Do you download the file contents?
No. The tool only issues HEAD requests to check whether the file is served. It never reads or returns file contents.
Which paths are checked?
A small allow-list: /.env, /.git/config, /.git/HEAD, /backup.zip, /wp-config.php.bak, /.DS_Store, /config.json, /api/swagger.json.
Run a full security scan →