Safeey.io
File Exposure

.DS_Store Files: The Quiet Directory Leak

A file you didn't know you shipped

.DS_Store is a metadata file macOS creates in every folder to remember icon positions and view settings. It's invisible in Finder, so it's easy to deploy one without realizing. The problem: it contains a list of every file and folder in that directory.

Why attackers love it

When .DS_Store is reachable at https://yoursite.com/.DS_Store, an attacker can parse it to reveal filenames you never linked publicly — backup folders, admin directories, staging files, database dumps. It effectively hands them a map of your directory structure, letting them find sensitive files that would otherwise stay hidden.

From there they can walk deeper, requesting the .DS_Store in each discovered subfolder to build a full picture of your server.

How to check and fix it

  • Request https://yoursite.com/.DS_Store. If a binary file downloads, it's leaking.
  • Add .DS_Store to .gitignore so it never gets committed.
  • Configure your server to block requests for .DS_Store files.
  • Review what the file exposed and make sure those directories aren't themselves reachable.

Don't rely on obscurity

Hidden isn't the same as protected. Safeey looks for .DS_Store and many other directory‑leak artifacts, then shows you exactly what's reachable. Scan your site.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site