Fix guide · medium · drupal_changelog_exposed

Drupal /CHANGELOG.txt publicly exposed

Why it matters

Same shape as WordPress readme.html exposure — reveals exact version, maps to known CVEs.

How to fix it

Block or remove:

# Apache .htaccess
<Files "CHANGELOG.txt"><Require all denied></Files>

# Nginx
location = /CHANGELOG.txt { deny all; }

And keep Drupal core updated.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.