Skip to main content

.DS_Store Exposure.

Security Sensitive File Exposure

macOS .DS_Store files reveal directory structure and file names

What does this check test?

`.DS_Store` (Desktop Services Store) is a hidden file automatically created by macOS Finder in every directory that is opened. It contains metadata about the directory's contents, including file and folder names, icon positions, and view settings. When a developer on macOS deploys code, these files may be inadvertently included. Publicly accessible `.DS_Store` files can be parsed to reveal the names of files and directories on the server, including files that may not be linked or indexed.

Why does it matter?

While `.DS_Store` files do not contain file contents, they do reveal file and directory names — including ones that are intentionally hidden from public access. An attacker can parse a `.DS_Store` file to discover paths like `/backup/`, `/api/internal/`, `/config.php.bak`, or `/test-credentials.txt` that would otherwise require brute-force guessing. This turns a minor information leak into a roadmap for further attacks. Tools like `ds_store_exp` automate the recursive discovery of files via `.DS_Store` parsing.

Who is affected?

Teams with macOS developers who deploy directly from their machines or commit `.DS_Store` files to version control are most at risk. This is especially common in agencies, freelance work, and smaller teams without strict deployment pipelines. Any project where developers use Finder to navigate the codebase will generate these files. Larger organizations with CI/CD pipelines that build from clean checkouts are less likely to be affected.

Where does this apply?

Check for `.DS_Store` at the web root (`/.DS_Store`) and in common directories (`/images/.DS_Store`, `/assets/.DS_Store`, `/uploads/.DS_Store`). The file is binary, so a successful response will contain non-printable characters starting with the magic bytes `\x00\x00\x00\x01Bud1`. You can also search for `.DS_Store` files in your project with `find . -name .DS_Store`.

How to fix it

Prevent `.DS_Store` files from being committed to version control:
bash 
# Add to global .gitignore
echo '.DS_Store' >> ~/.gitignore_global
git config --global core.excludesfile ~/.gitignore_global

# Remove existing .DS_Store files from repo
find . -name '.DS_Store' -type f -delete
git add -A && git commit -m 'Remove .DS_Store files'
Block access at the web server level:
nginx 
location ~ /\.DS_Store {
    deny all;
    return 404;
}
Disable `.DS_Store` creation on network volumes:
bash 
defaults write com.apple.desktopservices DSDontWriteNetworkStores true
Include `.DS_Store` in your deployment exclusion rules and CI/CD pipeline cleanup steps.

References

AppVet checks .DS_Store Exposure automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks