Home / Tools / Block access to composer.json and package.json
Exposed Files · Scan Check Guide

Block access to composer.json and package.json

15 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Dependency manifest files (composer.json, package.json, requirements.txt) list every library and framework your application uses, with exact version numbers — publicly readable, this hands attackers a precise shopping list of known vulnerabilities to try against your specific stack.

composer.json and package.json list your exact dependency versions — a ready-made target list for attackers checking each one against known CVEs, instead of having to guess what you're running.

How to fix it

  1. 1
    Check what's exposed
    Visit yoursite.com/composer.json, /package.json, or /requirements.txt depending on your stack.
  2. 2
    Block direct access at the server level
    These files should never need to be served publicly — add a rule denying direct requests to them.
  3. 3
    Confirm your build process doesn't ship them to production
    Ideally these files stay in your build/deploy pipeline and never get copied into the actual public web root.

Common mistakes

How you'll know it's done

Dependency manifest files return 403/404 when requested directly over the web.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →