Recently, I built StatusScout, an open-source tool to check and monitor a website’s health. For testing purposes, I ran the tool against hundreds of websites. Here are the most common security issues I encountered:
1. Sensitive files or directories are publicly available
A surprisingly large number of websites have sensitive files and directories accessible via the web. The ten most common ones I encountered are:
/.htaccess – could reveal sensitive server rules
/info.php or /test.php – usually expose phpinfo() output, which can reveal detailed server and PHP configuration that could be abused
/package-lock.json – exposes JavaScript dependencies and project structure. This is especially dangerous if it includes outdated packages with known security vulnerabilities (use npm audit to check for those)
/.gitignore – reveals which files are considered sensitive or excluded from version control
/.git/ – exposes the Git repository and history. Attackers may download the source code or commit history
/.git/config – exposes Git configuration, which can leak repository details and targets
/wp-includes – WordPress core include files are publicly accessible. This can help attackers fingerprint the WordPress version and plugins
/docker-compose.yml – includes service definitions, image names, and environment references that can expose deployment details or secrets
/bitbucket-pipelines.yml – contains repository and deployment information
There are many more files I’ve encountered, but these are the most common ones.
2. Missing or misconfigured DNS records
Other common security issues lie within DNS settings. One of the most common problems is dangling DNS records, which can lead to subdomain takeovers. This happens when a DNS record points to a service that no longer exists (for example, a deleted cloud resource on AWS, GitHub Pages, or Vercel). Attackers can then claim the resource and take over the subdomain.
Another common issue is a missing DNSSEC record, which increases the risk of spoofing and hijacking.
3. Missing HTTP headers
Most websites are also missing several security-related HTTP headers. The most important ones are:
Content-Security-Policy – controls which resources (scripts, styles, images, etc.) are allowed to load
Strict-Transport-Security – forces browsers to use HTTPS
X-Frame-Options – protects against clickjacking by preventing your site from being embedded in an iframe
X-Content-Type-Options – prevents MIME type sniffing
If you want to check your website for all these security issues, you can do so for free at https://statusscout.dev.
Thanks for reading! Let me know if you'd like to read a more extended guide on website security :)
Cheers,
Vincent
Top comments (0)