Product: TIBCO Spotfire®
Security scanner report "Web Server Misconfiguration: Unprotected File" because the existence of *.gz files
Web security and vulnerability scanners such as HP Webinspect may report files with file extention .gz as risks.
Webinspect has detected an archive file with the .gz extension on the target server. The severity of the threats posed by the web-accessible backup files depends on the sensitivity of the information stored in original document. Based on that information, an attacker can gain sensitive information about the site architecture, database and network access credential details, encryption keys, and so forth from these files. The attacker can use information obtained to craft precise targeted attacks, which may not otherwise be feasible, against the application.
Spotfire has a number of files that end with .gz available on the following URLs that may be reported as security threats.
These files are not backup files, do not contain any sensitive data and do not expose any risk at all.
The *.gz files are precompressed versions of files without the .gz extensions that exist in the the same folder. The purpose of these files is to speed up downloads and to reduce the need for the web server to compress static files.
No action should to be taken as the files are not leaving the system at risk in any way.
It is possible to delete the files as long as corresponding files without the .gz extension are left intact. However without them the server will require more CPU resources to compress data while in operation and it may make the end user experience worse due to longer transfer times.
https://tomcat.apache.org/tomcat-8.5-doc/default-servlet.html See property 'precompressed'
https://tomcat.apache.org/tomcat-8.0-doc/default-servlet.html See property 'gzip'