Security Flaw: Don’t leave a readable .git on the root of your server

Posted 2 years ago

Git has many different advantages, but one big security flaw that should be avoided is leaving a readable .git within you httpdocs/public_html.

Let’s say you have a folder structure like below.

   -> .git
   -> css/
   -> js/
   -> index.php

Leaving a readable .git file will enable anyone to simply clone whatever is within the repository.

We’ll use Google for demonstrating purposes.

git clone

Whatever has been committed to Git would now be cloned onto my machine without the need for authentication. As you can imagine, this is a big no no.

To combat this, there’s a few things we can do.

  • Remove .git from the server altogether and look at deployment tools
  • Move .git out of you public_html/httpdocs folder
  • Add the following line to .htacces RedirectMatch 404 /\.git In any case, it’s worth adding this line to protect yourself from accidentally adding it again in future.