What Attackers Look For

What Attackers Look For

Automated scanners probe /.env, /.env.local, /.env.production on every public website. A single exposed file can leak database credentials, API keys, and payment secrets.

Why It's Dangerous

One leaked .env file means full database access, payment fraud, email impersonation. Attackers sell these credentials on dark web markets within hours.

How To Protect

• - Never deploy .env files to production
• - Use your hosting platform's environment variable system
• - Add .env* to .gitignore and .dockerignore
• - Scan your live site to verify

What Attackers Look For

Attackers request /.git/config, /.git/HEAD, and /.gitignore to detect exposed Git repositories. A misconfigured server can serve your entire source code history.

Why It's Dangerous

Source code reveals business logic, internal API endpoints, hardcoded tokens, and security weaknesses. Attackers reverse-engineer authentication flows and find injection points.

How To Protect

• - Block /.git/* paths in your web server config
• - Use a CDN or hosting platform that doesn't serve dotfiles
• - Verify with a curl request to yourdomain.com/.git/config

What Attackers Look For

Attackers send introspection queries to /graphql and /graphql/v1 to map your entire API schema - every query, mutation, type, and field.

Why It's Dangerous

An open introspection endpoint is like publishing your entire API documentation to attackers. They discover admin mutations, sensitive fields, and unprotected queries.

How To Protect

• - Disable introspection in production (introspection: false)
• - Use allowlists for permitted queries
• - Implement field-level authorization on sensitive resolvers

What Attackers Look For

Scanners check for /phpmyadmin, /wp-admin, /wp-login.php, /admin.php - common paths from WordPress, PHP, and legacy frameworks.

Why It's Dangerous

Even if you don't use WordPress, a default installation or forgotten admin panel gives attackers direct database access or CMS control.

How To Protect

• - Remove unused software completely
• - If you need admin panels, put them behind VPN or IP allowlist
• - Use non-standard paths and enforce MFA

What Attackers Look For

Attackers probe /.aws/credentials, /server-status, /server-info to find cloud provider credentials and server diagnostics.

Why It's Dangerous

AWS/GCP/Azure credentials give attackers access to your entire cloud infrastructure - databases, storage, compute. Server status pages reveal internal architecture.

How To Protect

• - Never store cloud credentials in web-accessible directories
• - Disable Apache mod_status and mod_info
• - Use IAM roles instead of static credentials
• - Rotate keys regularly

What Attackers Look For

Automated bots target login and signup forms with credential stuffing (testing leaked password lists) and registration spam (creating fake accounts at scale).

Why It's Dangerous

Credential stuffing succeeds because users reuse passwords. A single match gives attackers access to the account and any linked payment methods or personal data.

How To Protect

• - Implement rate limiting on auth endpoints (max 5 attempts/minute)
• - Add CAPTCHA after failed attempts
• - Use honeypot hidden fields
• - Enforce strong passwords and offer MFA