Safeey.ioOpen scanner
The Safeey blog

Web security, explained.

Practical, plain-English guides to the issues that actually get sites breached — and how to fix them.

File Exposure

The Danger of Exposed .env Files

A single publicly reachable .env file can hand an attacker your database, your payment keys, and your entire application. Here's how it happens and how to stop it.

File Exposure

Why an Exposed .git Directory Is a Goldmine for Attackers

If your /.git folder is reachable, an attacker can reconstruct your entire source code — including secrets you deleted long ago.

File Exposure

.DS_Store Files: The Quiet Directory Leak

That tiny macOS file you never think about can map your server's hidden folders for an attacker. Here's why it matters.

Security Headers

Security Headers That Actually Matter

CSP, HSTS, and a handful of HTTP headers do a huge amount of your site's defensive work. Here's what each one does and how to set it.

Subdomains

Subdomain Takeover: How Forgotten DNS Becomes a Breach

A DNS record pointing at a service you no longer use can let an attacker host content on your domain. Here's how subdomain takeover works.

Injection & Redirects

Open Redirects: The Vulnerability That Weaponizes Your Domain

An open redirect lets attackers use your trusted domain to send victims to malicious sites. Here's how it works and how to prevent it.

Exposed Secrets

Leaked API Keys in Your JavaScript Bundles

Secrets bundled into your frontend JavaScript are visible to anyone who opens the developer tools. Here's how keys leak and what to do.

API Security

GraphQL Introspection: Handing Attackers Your API Map

Introspection is great in development and dangerous in production. Here's why you should disable it on your live GraphQL API.

Default Credentials

Default Credentials: The Door You Forgot to Lock

Admin panels and devices shipped with default logins are among the easiest ways in. Here's why they're so dangerous.

Information Disclosure

Exposed Source Maps: Reverse-Engineering Your Frontend

Public .map files reconstruct your original, commented source code from minified bundles. Here's what that reveals.