Excluding anything that starts with a period also doesn't work - RFC 5785 specs ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		realityking on July 27, 2015 \| parent \| context \| favorite \| on: One in every 600 websites has .git exposed Excluding anything that starts with a period also doesn't work - RFC 5785 specs the folder .well-known with special meaning.

samuellb on July 27, 2015 [–]

True, but you can whitelist /.well-known/. I don't think anything else uses dot-filenames in URLs, because not all operating systems and software even allow such file names (for instance, the file browser in Windows forbids it when creating a new file or folder).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact