Files in WEB-INF
are not visible to the users. It’s a bit safer that way.
If (a contrived example) you are including db.jsp
, but by itself it throws an exception, a malicious user can open http://yoursite.com/db.jsp
and get some insight on your application (worst – the database credentials) from the exception message.