Got 200 on an URL that should gives a 404

I just passed my website made with Grav on the Spaghetti scanner.

It listed a lot of common used files and folders. I tried many of those knowing those files and folders didn't exist at all on my webserver.

Every links (like https://example.com/node.xml.zip) give a HTTP 200 with my homepage displayed ; it should be a 404.

It can be a SEO disaster and a pain in the 4ss to discover real vulnerabilities with a scanner…

I'm using the default .htaccess file, directly on a domain name.

Am I missing something ?

Regards

Solution

Turns out this is indeed an error with Grav. I opened an issue on Github and the bug has already been patched.

You should see a fix for this behavior in the next release.

Update:
As of the 1.3.8 release (October 27th, 2017), this bug fix has been officially released.

Сomplex delete duplicates
SwiftUI optional state variable binding with if let
addEventListener to elements of array whose target is in a different array of different length
How does the compiler remove const from my const copy?
Using regex in Postgres for special characters
Arrow functions and the use of parentheses () or {} or ({})
Extract values from a dataframe based on values in another dataframe
Any hints for those that want to upgrade from Delphi 7 (and down) to Delphi 2010?
Cloning environment with micromamba
Set ANDROID_HOME environment variable in mac
partitionOverwriteMode dynamic and "logical" partitions
error: uint64_t was not declared in this scope when compiling C++ program
Returning dynamic query results from PL/PGSQL function, multiple rows
Encode JSON data with two tables using join?
CPU overheating because of Delphi IDE
Where to install Android SDK on Mac OS X?
WARNING in budgets, maximum exceeded for initial
Streaming multiple TObjects to a TMemoryStream
ShellExecute not working from IDE but works otherwise
How to retrieve a file from Internet via HTTP?
Use another MapStruct mapper only inside an expression clause
How do I use openupgradelib to update from odoo15 to odoo16?
Tailwind CSS checkbox styles are not working
How to convert bounding box (x1, y1, x2, y2) to YOLO Style (X, Y, W, H)
How to set an Apache rewrite rule for a destination that contains a hash mark?
MySQL Error 1215: Cannot add foreign key constraint
How does Linux (via SYS_WRITE) deal with the ASCII (control) codes from 0 to 31?
Cannot install components that worked under D7 in D2009
Is there a way to make a collection class of a single element class?
How to logically populate dates as 1st column, then have metrics in additional columns?