The hide function denies access, instead of just hiding

1. The problem I’m having:

I am trying to hide a folder, not deny access to it.

2. Error messages and/or full log output:

None

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

Installed from Ubuntu’s repository

a. System environment:

Ubuntu 24.04, x86_64, systemd

b. Command:

systemctl start caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

mydomain {
        root * /var/www/html/
        file_server {
                browse
                hide .*
        }
}

5. Links to relevant resources:

Type here

hide is a list of files or folders to hide; if requested, the file server will pretend they do not exist.

Proof or didn’t happen.

You’re using an unsupported version. The latest is 2.11.4, follow our official installation instructions.

Sorry, I didn’t get emails about replies, not sure why.

I just updated to 2.11.4 (using the official Caddy deb repo), sorry, I’m not sure why Debian/Ubuntu are holding on the insanely old version, that is my bed and I apologise.

I am still getting a 404 when trying to access the hidden path:

curl -I https://my.server/.testing/ 
HTTP/2 404  
**alt-svc**: h3=":443"; ma=2592000 
**server**: Caddy 
**date**: Wed, 24 Jun 2026 02:06:41 GMT

The way I’m reading the documentation, “if requested, the file server will pretend they do not exist” is exactly what a 404 would be.

I guess my definition of hide is different from others. Something that is hidden is still accessible if you have the location. Currently, the hide function prevents access.

What does “have the location” mean though? Does guessing it count? Because enumeration attacks are a large part of Internet traffic.

I’m going to unsubscribe from this. The naming of the hide function is poor, end of story. I’ll find another way.