WebSentry
Log inSign up free
All articles
Information DisclosureServer SecurityWeb Security

Information Disclosure: What Your Website Might Be Revealing to Attackers

Stack traces, HTML comments, exposed config files, and server headers all give attackers free intelligence about your site. Learn what to look for and how to stop the leaks.

WebSentry TeamApril 26, 20267 min read

What Is Information Disclosure?

Information disclosure happens when a website unintentionally reveals details about itself — its technology stack, internal paths, version numbers, credentials, or source code. Individually, these details might seem harmless. Combined, they give attackers a detailed map of your system before they've launched a single attack.

When WebSentry scans your site, the information disclosure check looks at headers, HTML source, error pages, configuration files, and common sensitive paths to find what your site is giving away for free.

The Most Common Ways Sites Leak Information

1. HTTP Headers That Announce Your Stack

Headers like X-Powered-By: PHP/8.1 or Server: Apache/2.4.52 tell attackers exactly what software to look up vulnerabilities for. See our server information guide for exact removal steps.

2. HTML Comments With Sensitive Notes

Developers sometimes leave comments that were never meant to be public:

<!-- TODO: remove debug mode before launch -->
<!-- DB connection: mysql://admin:password@localhost/prod -->

Anyone who views your page source can read these. Remove all HTML comments from production builds.

3. Error Messages and Stack Traces

A PHP fatal error visible on a live page reveals your internal file structure, database type, and exact line numbers. In production, all errors should be logged server-side and a generic error page shown to visitors.

4. Exposed Configuration Files

Files like /.env, /config.php, and /.git/config are sometimes accidentally left publicly accessible. A .env file containing database passwords or API keys is one of the most damaging leaks possible.

5. Source Maps in Production

JavaScript source maps let anyone read your unminified code, including comments, variable names, and business logic. Disable source map generation in your production build, or restrict access to map files via your server config.

6. robots.txt Revealing Sensitive Paths

Trying to hide paths from search engines in robots.txt can advertise them to attackers. Every path in robots.txt is publicly readable — protect sensitive paths with authentication, not just Disallow rules.

How to Audit Your Site

  1. Run a WebSentry scan — it checks headers, source maps, sensitive paths, HTML comments, and error exposure automatically
  2. View your page source and search for <!--
  3. Try accessing /.env, /phpinfo.php, and /.git/config — they should return 404 or 403
  4. Trigger a 404 and 500 error and confirm they show a generic page

Fixing Critical Issues

Disable PHP error display

display_errors = Off
log_errors = On

Block sensitive files in Nginx

location ~ /.(env|git|htaccess) {
    deny all;
    return 404;
}
location ~* .(map)$ {
    deny all;
    return 404;
}

Summary

Information disclosure is a force multiplier for attackers. Audit what your site reveals, remove what it doesn't need to say, and treat error handling and file access as security concerns, not just operational ones.

Check your own site

Run a free security scan and see if your site has the issues covered in this article. Results in under 30 seconds.

Run a free scanCreate free account
PreviousPermissions Policy: Control What Browser Features Your Site Can UseNext Outdated JavaScript Libraries: Why Old Dependencies Are a Security Risk