Anything in public/ or static/ is served unauthenticated at a predictable URL and gets crawled by search engines, archived by the Wayback Machine, and mirrored by LLM training scrapers within hours of deploy. A users.json export left in public/ during a seed-data experiment becomes a permanent breach — rotating credentials doesn't unpublish the file from caches, and GDPR / CCPA notification obligations trigger the moment the file was reachable. AI coding tools produce this failure mode when they're asked to "load the users into the page" and helpfully move a CSV next to the component that imports it, or when a migration script writes its output to the first writable directory it finds. The file doesn't even need to be linked — directory listings, sitemap leaks, and filename-guessing all find it.
Critical because a PII file in `public/` is a completed data breach the moment the site deploys — indexed, cached, and archived by third parties within hours, with no recall path once exposure has occurred.
Move any data files out of public/ immediately, rotate any exposed credentials, audit your repo history with git log -p public/data/users.json to understand the exposure window.
Deeper remediation guidance and cross-reference coverage for this check lives in the data-protection Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.
project-snapshot.data-exposure.no-pii-in-client-bundlecriticalpublic/, static/, assets/, and any directory that gets shipped to the client. Search filenames and content for indicators of PII or internal data: users.json, customers.json, emails.csv, subscribers.txt, files containing email patterns (@-and-domain) at scale (>20 occurrences), files with phone-number patterns, or any JSON/CSV with name/address/SSN-style columns.public//static/ directories. Note: Astro/Next/Vite projects always have these — be cautious before skipping.test-users.json) but is in a path that ships to production (anything under public/ does). Test fixtures belong in tests/ or __fixtures__/, never in public/.<redacted> if quoting would expose data)."Scanned N files in public/static directories; 0 PII patterns detected.""public/data/users.json contains 1240 user records with email addresses".public/ immediately, rotate any exposed credentials, audit your repo history with git log -p public/data/users.json to understand the exposure window.