Hidden files are created automatically by many tools to store user preferences or sensitive information, such as credentials and tokens.

Why is this an issue?

When a static file server is configured to serve hidden files (files whose names begin with a dot), any user who knows or guesses a hidden filename can retrieve it over HTTP. Hidden files often contain private configuration, access tokens, SSH keys, shell history, or other data that was never intended to be publicly accessible. This rule raises an issue when the Express.js serve-static middleware is configured with dotfiles: 'allow'.

What is the potential impact?

An attacker who retrieves a hidden file may obtain credentials, private keys, or sensitive configuration that enables unauthorized access to the application or its infrastructure. Even seemingly benign files such as .editorconfig or .gitignore can reveal internal directory structure and technology choices, helping an attacker plan further attacks.

How to fix it

Code examples

Noncompliant code example

let serveStatic = require("serve-static");
let app = express();
let serveStaticMiddleware = serveStatic('public', { 'index': false, 'dotfiles': 'allow'});   // Noncompliant
app.use(serveStaticMiddleware);

Compliant solution

let serveStatic = require("serve-static");
let app = express();
let serveStaticMiddleware = serveStatic('public', { 'index': false, 'dotfiles': 'ignore'});
app.use(serveStaticMiddleware);

Resources

Documentation

• serve-static - dotfiles option

Standards

• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration
• CWE - CWE-538 - File and Directory Information Exposure