[Possible] Backup Source Code Detected
Description
The web server contains files that appear to be backup copies of source code, configuration files, or other web application resources. These backup files are typically created by developers or automated tools during development, maintenance, or deployment processes, and are often left behind inadvertently when code is modified or updated. Common patterns include files with extensions like .bak, .old, .backup, or tilde (~) suffixes.
Remediation
Immediately remove all backup files from web-accessible directories on the server. Conduct a comprehensive audit to identify backup files using common patterns (*.bak, *.old, *.backup, *~, *.swp, *.tmp, *.orig, *.copy).
Configure your web server to deny access to backup file patterns. For Apache, add the following to your .htaccess or server configuration:
<FilesMatch "\.(bak|old|backup|swp|tmp|orig|copy)$|~$"> Require all denied </FilesMatch>
For Nginx, add to your server block:
location ~ \.(bak|old|backup|swp|tmp|orig|copy)$ {
deny all;
}
location ~ ~$ {
deny all;
}Establish organizational policies prohibiting the creation of backup files in production environments. Implement proper version control systems (such as Git) for code management instead of manual file-based backups. Configure deployment processes to exclude backup files automatically, and add backup file patterns to .gitignore or equivalent version control ignore files to prevent accidental commits.