Js folder predictable forced browsing

Is it possible to put any further security on the /js/folder, I am using nginx. This allows the user to view plain text versions of the files in the directory.

Matomo version: 5.1.2
MySQL version: 5.7.12
PHP version: 8.3.13

We go the following security scan report
Category Web Application
CVE -
CVSS base score 2.1
Description Predictable Resource Location Via Forced Browsing
Host {MYIPADDRESS}
Threat -
Impact -
Solution -
PCI compliant
No
PCI details -
Reason The vulnerability is not included in the NVD.
PCI severity low
Port 443 / tcp
Host name mydomain .com
Host OS -
Result
url: mydomain_com/js/
Payload: mydomain_com/js/
comment:
Original URL is: mydomain_com/

matched: HTTP/1.1 200 OK
CVSS Base Score 2.1

  • AV:L/AC:L/Au:N/C:P/I:N/A:N
    CVSS Temporal Score 1.7
  • E:U/RL:W/RC:C
    Severity 2
    Category Web Application
    CVE ID
    Vendor Reference
    Bugtraq ID
    Date Updated Apr 6, 2024
    Threat A file, directory, or directory listing was discovered on the Web server. These resources are confirmed to be present based on our logic. Some of the content on these files might have sensitive information.
    NOTE: Links found in 150004 are found by forced crawling so will not automatically be added to 150009 Links Crawled or the application site map. If links found in 150004 need to be tested they must be added as Explicit URI so they are included in scope and then will be reported in 150009. Once the link is added to be in scope (i.e. Explicit URI) this same link will no longer be reported for 150004.

Impact The contents of this file or directory may disclose sensitive information.
Solution It is advised to review the contents of the disclosed files. If the contents contain sensitive information, please verify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.

Hi @dsekely_b
Did you try the .htaccess file?
Did you also check the :gear: > Diagnostic > System Check page to see if there is solution there?

I am using nginx not apache. nothing shows in the system check that is related to the issue I am experiencing.

Hi,
I also use nginx for my Matomo installation. To prevent unauthorized access to various folders, You can use the following lines in /etc/nginx/sites-available/your_site.conf:

location /path/to/matomo/js/ {
allow 127.0.0.1; # only local access
deny all; # no access for all others
}
Maybe it will help you.