Home / Tools / Remove exposed .DS_Store files
Exposed Files · Scan Check Guide

Remove exposed .DS_Store files

10 min Impact: low Effort: low ✓ Scan-verified — no manual checkbox

.DS_Store is a hidden file macOS automatically creates in every folder you browse in Finder — if a developer uploads files to your server from a Mac without cleaning these up, they can end up publicly accessible and reveal a full list of every filename in that directory, including ones with no direct links pointing to them.

A Mac Finder artifact that quietly leaks your real directory structure and file names to anyone who requests it — harmless to create, easy to forget, trivial for an attacker to use for reconnaissance.

How to fix it

  1. 1
    Check for exposure
    Visit yoursite.com/.DS_Store — if it downloads, it's exposed and readable with any hex editor or dedicated parser tool.
  2. 2
    Remove existing files
    Search your server for any .DS_Store files and delete them.
  3. 3
    Prevent future ones from being uploaded
    Add .DS_Store to your deployment exclude list (.gitignore, deploy script ignore rules) so Mac-created ones never ship again.
  4. 4
    Block at the server level as backup
    Add a rule denying access to any .DS_Store file, regardless of location.

Common mistakes

How you'll know it's done

No .DS_Store files are accessible via direct URL, and your deployment process excludes them going forward.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →