I have a site in Drupal 7. On running security scan on the site, I came across threat saying “A known sensitive file was found to be published within a publicly accessible web directory. Depending on the file
it could could disclose sensitive data such as user credentials and configuration data.”
For example I am able to access /sites/all/libraries/colorbox/package.json
I need to block users from accessing similar files from urls.
I have below code in my .htaccess file but it doesn’t work for blocking json file access:
<FilesMatch ".(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)(~|.sw(op)|.bak|.orig|.save)?$|^(..*|Entries.*|Repository|Root|Tag|Template|composer.(json|lock))$|^#.*#$|.php(~|.sw(op)|.bak|.orig.save)$"> Order allow,deny </FilesMatch>