.DS_Store Files: The Quiet Directory Leak
A file you didn't know you shipped
.DS_Store is a metadata file macOS creates in every folder to remember icon positions and view settings. It's invisible in Finder, so it's easy to deploy one without realizing. The problem: it contains a list of every file and folder in that directory.
Why attackers love it
When .DS_Store is reachable at https://yoursite.com/.DS_Store, an attacker can parse it to reveal filenames you never linked publicly — backup folders, admin directories, staging files, database dumps. It effectively hands them a map of your directory structure, letting them find sensitive files that would otherwise stay hidden.
From there they can walk deeper, requesting the .DS_Store in each discovered subfolder to build a full picture of your server.
How to check and fix it
- Request
https://yoursite.com/.DS_Store. If a binary file downloads, it's leaking. - Add
.DS_Storeto.gitignoreso it never gets committed. - Configure your server to block requests for
.DS_Storefiles. - Review what the file exposed and make sure those directories aren't themselves reachable.
Don't rely on obscurity
Hidden isn't the same as protected. Safeey looks for .DS_Store and many other directory‑leak artifacts, then shows you exactly what's reachable. Scan your site.
See what your site exposes
Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.
Scan your site