I have a site in Drupal 7. On running security scan on the site, I came across threat saying "A known sensitive file was found to be published within a publicly accessible web directory. Depending on the file it could could disclose sensitive data such as user credentials and configuration data." For example I am able to access /sites/all/libraries/colorbox/package.json I need to block users from accessing similar files from urls. I have below code in my .htaccess file but it doesn't work for blocking json file access:
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
Order allow,deny
</FilesMatch>
Please help.
Above code works fine. I made a mistake of not adding "package" pretext for json files. So code in .htaccess should be:
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer|package\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
Order allow,deny
</FilesMatch>