This repo is not a real config file.
If this URL pattern made your heartbeat do a tiny security dance, congratulations. You’re exactly the kind of person this repo was made for.
No actual server config was leaked. But the URL pattern is very real, and thousands of bots scan for it every single day.
Apache's mod_info module exposes a dashboard at /server-info that prints your entire parsed configuration — every loaded module, every directive, every virtual host, every file path. It's a fantastic debugging tool. It is also a fantastic gift to anyone mapping your attack surface.
.htaccess is the per-directory config file Apache reads on every request. If mod_info is reachable from the public internet and your .htaccess files reference auth backends, internal paths, or rewrite rules that hint at hidden endpoints — all of that ends up in the dump.
Neither file is dangerous on its own. The combination, exposed publicly, is the issue.
1. Don't expose mod_info to the internet. It's a local debugging tool. Bind it to loopback or your internal network only:
<Location "/server-info">
SetHandler server-info
Require ip 127.0.0.1
Require ip ::1
</Location>The same advice applies to mod_status at /server-status.
2. Confirm .ht* files can't be served directly. Apache ships with this block by default — make sure nothing has overridden it:
<Files ~ "^\.ht">
Require all denied
</Files>3. Quiet your server banner to reduce fingerprinting:
ServerTokens Prod
ServerSignature Off4. Verify from outside. From a machine that isn't your server, run:
curl -I https://your-domain.example/server-info
curl -I https://your-domain.example/server-statusA 403 or 404 is the right answer. Anything else means you have homework.
- Apache HTTP Server —
mod_infodocumentation - Apache HTTP Server — Security tips
- Mozilla — Web Security Guidelines
Stay configured, friends.