robots.txt reveals sensitive paths

Your robots.txt file — a publicly accessible text file that tells search engine crawlers which pages not to index — lists internal or sensitive paths by name, such as admin panels or API endpoints. While robots.txt is meant to guide search engines, it's also publicly readable by anyone, including automated security scanners and attackers. Listing sensitive paths in Disallow rules effectively hands a map of your private areas to anyone who looks. Remove specific sensitive paths from your robots.txt and replace them with access controls (password protection, authentication requirements, or server-side rules) that actually prevent unauthorised access. Security through obscurity alone is not a defence, but there's no reason to advertise the paths either.

Why this matters

While robots.txt is meant to guide search engines, it's also publicly readable by anyone, including automated security scanners and attackers. Listing sensitive paths in Disallow rules effectively hands a map of your private areas to anyone who looks.

How to fix it

Remove specific sensitive paths from your robots.txt and replace them with access controls (password protection, authentication requirements, or server-side rules) that actually prevent unauthorised access. Security through obscurity alone is not a defence, but there's no reason to advertise the paths either.