# Apache
# (no slash; also guards against old.htaccess, old.htpasswd, etc.)
.htaccess
.htdigest
.htpasswd
# home level dotfiles (keep in sync with lfi-os-files.data).
# Also include commented values (e.g., `# .env`), but not comments.
# grep -E "^(#\s*)?\.\S+$" lfi-os-files.data | sed 's/^#\s*//'
.access/
.addressbook
.anydesk/
.aptitude/config
.atom/
.aws/
.azure/
.bash_
.bashrc
.boto
.cache/
.cache/notify-osd.log
.cargo/
.config.local.php
.config/
.coverage
.coveralls.yml
.credentials
.cshrc
.cups/
.cvs
.dbus/
.deployment-secrets.txt
.docker/
.dockerignore
.drush/
.env
.envrc
.eslintignore
.fbcindex
.forward
.ftpconfig
.gem/
.git/
.gitattributes
.gitconfig
.gitignore
.gitkeep
.gitmodules
.gnome/
.gnome2/
.gnomerc/
.gnupg/
.google_authenticator
.gsutil/
.hg/
.hgignore
.history
.hplip/hplip.conf
.htaccess
.htdigest
.htpasswd
.ipynb_checkpoints/
.java/
.ksh_history
.kube/
.lesshst
.lftp/
.lhistory
.lighttpdpassword
.lldb-history
.local/bin/
.local/lib/
.local/share/
.local/state/
.lynx_cookies
.minikube/
.msmtprc
.my.cnf
.myscmserverinfo
.mysql_history
.nano_history
.netrc
.node_repl_history
.npm/
.npmrc
.nsconfig
.nsr
.nvm/
.oh-my-
.pac
.pass
.passwd
.password-store
.pearrc
.pgpass
.php_history
.pinerc
.pki/
.proclog
.procmailrc
.profile
.psql_history
.pwd
.pytest_cache/
.python_history
.rediscli_history
.remote-sync.json
.rhistory
.rhosts
.rustup
.s3cfg
.secrets
.selected_editor
.settings/
.sh_history
.snap/
.sqlite_history
.ssh/
.subversion/
.svn/
.svnignore
.tconn/
.tcshrc
.terraform.lock.hcl
.terraform/
.thunderbird/
.tmux.conf
.tools/
.tor/
.travis.yaml
.travis.yml
.vagrant.d/
.vidalia/
.vim/
.viminfo
.vimrc
.vmware/
.vscode
.web.config.swp
.wget-hsts
.www_acl
.wwwacl
.xauthority
.yarnrc
.zhistory
.zsh_history
.zshenv
.zshrc

# Generic config filenames and common permutations
config.asp
config_dev.asp
config-dev.asp
config.dev.asp
config_prod.asp
config-prod.asp
config.prod.asp
config.sample.asp
config-sample.asp
config_sample.asp
config_test.asp
config-test.asp
config.test.asp
config.ini
config_dev.ini
config-dev.ini
config.dev.ini
config_prod.ini
config-prod.ini
config.prod.ini
config.sample.ini
config-sample.ini
config_sample.ini
config_test.ini
config-test.ini
config.test.ini
config.json
config_dev.json
config-dev.json
config.dev.json
config_prod.json
config-prod.json
config.prod.json
config.sample.json
config-sample.json
config_sample.json
config_test.json
config-test.json
config.test.json
config.php
config_dev.php
config-dev.php
config.dev.php
config_prod.php
config-prod.php
config.prod.php
config.sample.php
config-sample.php
config_sample.php
config_test.php
config-test.php
config.test.php
config.pl
config_dev.pl
config-dev.pl
config.dev.pl
config_prod.pl
config-prod.pl
config.prod.pl
config.sample.pl
config-sample.pl
config_sample.pl
config_test.pl
config-test.pl
config.test.pl
config.py
config_dev.py
config-dev.py
config.dev.py
config_prod.py
config-prod.py
config.prod.py
config.sample.py
config-sample.py
config_sample.py
config_test.py
config-test.py
config.test.py
config.rb
config_dev.rb
config-dev.rb
config.dev.rb
config_prod.rb
config-prod.rb
config.prod.rb
config.sample.rb
config-sample.rb
config_sample.rb
config_test.rb
config-test.rb
config.test.rb
config.toml
config_dev.toml
config-dev.toml
config.dev.toml
config_prod.toml
config-prod.toml
config.prod.toml
config.sample.toml
config-sample.toml
config_sample.toml
config_test.toml
config-test.toml
config.test.toml
config.txt
config_dev.txt
config-dev.txt
config.dev.txt
config_prod.txt
config-prod.txt
config.prod.txt
config.sample.txt
config-sample.txt
config_sample.txt
config_test.txt
config-test.txt
config.test.txt
config.xml
config_dev.xml
config-dev.xml
config.dev.xml
config_prod.xml
config-prod.xml
config.prod.xml
config.sample.xml
config-sample.xml
config_sample.xml
config_test.xml
config-test.xml
config.test.xml
config.yaml
config_dev.yaml
config-dev.yaml
config.dev.yaml
config_prod.yaml
config-prod.yaml
config.prod.yaml
config.sample.yaml
config-sample.yaml
config_sample.yaml
config_test.yaml
config-test.yaml
config.test.yaml
config.yml
config_dev.yml
config-dev.yml
config.dev.yml
config_prod.yml
config-prod.yml
config.prod.yml
config.sample.yml
config-sample.yml
config_sample.yml
config_test.yml
config-test.yml
config.test.yml
config.sample.inc.php
credentials.json
secrets.json
secrets.yaml
secrets.yml
# Compressed database dumps
.sql.001
.sql.7z
.sql.bz
.sql.ace
.sql.arj
.sql.cpio
.sql.gz
.sql.lha
.sql.lz
.sql.pa
.sql.pea
.sql.r00
.sql.r01
.sql.r02
.sql.r03
.sql.r04
.sql.r05
.sql.r06
.sql.r07
.sql.r08
.sql.r09
.sql.rar
.sql.rev
.sql.tar
.sql.taz
.sql.tbz
.sql.tgz
.sql.txz
.sql.uha
.sql.xz
.sql.yz1
.sql.z
# GitLab Omnibus
gitlab.rb
gitlab_config_
initial_root_password
# AWS cli
aws.yaml
aws.yml
aws-key.yaml
aws-key.yml
# October CMS credentials file
/auth.json
# Wordpress
/debug.log
/error.log
/errors.log
wp-config.
wp-config-
wp-config_
# Symfony
/config/parameters.yml
/config/routing.yml
/config/security.yml
/config/services.yml
# Drupal
/sites/default/default.settings.php
/sites/default/settings.php
/sites/default/settings.local.php
# PrestaShop configuration files
/config/settings.inc.php
/app/config/parameters.php
# Magento
/app/etc/env.php
/app/etc/local.xml
# ASP.NET
/Web.config
# Node
/package.json
/package-lock.json
/npm-shrinkwrap.json
/gruntfile.js
/npm-debug.log
/webpack.config.js
/yarn.lock
# Composer
/composer.json
/composer.lock
/packages.json
# OSX
/.DS_Store
# WS FTP
/.ws_ftp.ini
# New Per-Project Files
.idea
nbproject/
bower.json
.bowerrc
.eslintrc
.jshintrc
.gitlab-ci.yml
.travis.yml
database.yaml
database.yml
Dockerfile
# PHP_CodeSniffer configuration files
.php_cs.dist
.phpcs.xml
phpcs.xml
.phpcs.xml.dist
phpcs.xml.dist
# Windows desktop configuration file
Desktop.ini
# Windows Explorer cache of thumbnail images
Thumbs.db
# PHP configuration files
.user.ini
php.ini
# Oracle WebLogic Server configuration file
weblogic.xml
# Common names for local PHP error logs
php_error.log
php_errors.log
# Java directory for non-public application data
WEB-INF/
# Fortinet SSL VPN session file
sslvpn_websession
# BlockCypher log file used in code examples
BlockCypher.log
# Roundcube Webmail
config.inc.php
config.sample.php
defaults.inc.php
# Contains credentials for SendGrid service
sendgrid.env
# Fish shell files
.fish
fish_variables
# CVE-2023-5003
ldap-authentication-report.csv
# OpenStack-Ansible credentials file
user_secrets.yml
# File used by Visual Studio to store sensitive data
secrets.json
# Docker definition files, first two are commented out
# as they are matched by the rest of the files
#docker-compose.yml
#docker-compose.yaml
compose.yml
compose.yaml
# CVE-2023-49103
phpinfo.php
# Python cache
__pycache__/
# Windows system ini files
boot.ini
system.ini
win.ini
# NodeJS log file
pm2.log
# Generic log filename
debug.log
# Mysql/MariaDB config file
debian.cnf
my.cnf
mysql.cnf
mysqldump.cnf
# FTP config files
ftp-sync.json
# Yarn log files
yarn-debug.log
yarn-error.log
# Code coverage config file
coverage.xml

# /proc entries (keep in sync with lfi-os-files.data)
# grep -E "^proc/" lfi-os-files.data
proc/0
proc/1
proc/2
proc/3
proc/4
proc/5
proc/6
proc/7
proc/8
proc/9
proc/acpi
proc/asound
proc/bootconfig
proc/buddyinfo
proc/bus
proc/cgroups
proc/cmdline
proc/config.gz
proc/consoles
proc/cpuinfo
proc/crypto
proc/devices
proc/diskstats
proc/dma
proc/docker
proc/driver
proc/dynamic_debug
proc/execdomains
proc/fb
proc/filesystems
proc/fs
proc/interrupts
proc/iomem
proc/ioports
proc/ipmi
proc/irq
proc/kallsyms
proc/kcore
proc/key-users
proc/keys
proc/kmsg
proc/kpagecgroup
proc/kpagecount
proc/kpageflags
proc/latency_stats
proc/loadavg
proc/locks
proc/mdstat
proc/meminfo
proc/misc
proc/modules
proc/mounts
proc/mpt
proc/mtd
proc/mtrr
proc/net
proc/pagetypeinfo
proc/partitions
proc/pressure
proc/sched_debug
proc/schedstat
proc/scsi
proc/self
proc/slabinfo
proc/softirqs
proc/stat
proc/swaps
proc/sys
proc/sysrq-trigger
proc/sysvipc
proc/thread-self
proc/timer_list
proc/timer_stats
proc/tty
proc/uptime
proc/version
proc/version_signature
proc/vmallocinfo
proc/vmstat
proc/zoneinfo
/proc/

sftp.json

# /sys entries (keep in sync with lfi-os-files.data)
# grep -E "^sys/" lfi-os-files.data
sys/block
sys/bus
sys/class
sys/dev
sys/devices
sys/firmware
sys/fs
sys/hypervisor
sys/kernel
sys/module
sys/power
/sys/

# Vite.js development server endpoints (CVE-2025-30208)
# These endpoints allow arbitrary file system access and should never be exposed
/@fs/
/@id/