Development configuration files
Description
Development configuration files such as Vagrantfile, Gemfile, Rakefile, Dockerfile, or package.json are publicly accessible on the production system. These files are intended for development and build environments only and often contain sensitive information including dependency versions, internal paths, environment variables, API endpoints, and infrastructure details. Their presence on production systems indicates improper deployment practices and creates an information disclosure vulnerability.
Remediation
Remove all development configuration files from production deployments by implementing the following measures:
1. Exclude files during deployment:
Create a deployment process that explicitly excludes development files. For example, add them to your .gitignore or deployment exclusion list:
Vagrantfile Gemfile Gemfile.lock Rakefile Dockerfile docker-compose.yml package.json package-lock.json .env.development
2. Configure web server restrictions:
If files cannot be removed, restrict access using web server configuration. For Apache:
<FilesMatch "(Vagrantfile|Gemfile|Rakefile|Dockerfile|package\.json)$">
Require all denied
</FilesMatch>
For Nginx:
location ~* (Vagrantfile|Gemfile|Rakefile|Dockerfile|package\.json)$ {
deny all;
return 404;
}
3. Implement proper build processes:
Use CI/CD pipelines that build production artifacts separately from source code, ensuring only necessary application files are deployed.
4. Verify removal:
Regularly scan production systems to ensure no development files are accessible through web requests.