Do not allow dotfiles in Express static middleware | Critiq Docs

#Metadata

Rule ID: ts.security.express-static-dotfiles-allow
Severity: medium
Confidence: 0.84
Languages: javascript, typescript
Presets: security, strict
Stability: stable
Applies to: block
Tags: express, filesystem, rules-catalog, security

#Why it matters

Allowing dotfiles can expose hidden configuration and secrets through the static file middleware.

#Remediation

Use the default dotfiles ignore behavior or serve dotfiles from a tightly scoped directory with access controls.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml.

Back to directory Open rule in repository