Security Flaw: Don’t leave a readable .git on the root of your server

Posted 2 years ago

Git has many different advantages, but one big security flaw that should be avoided is leaving a readable .git within you httpdocs/public_html.

Let’s say you have a folder structure like below.


/httpdocs
   -> .git
   -> css/
   -> js/
   -> index.php

Leaving a readable .git file will enable anyone to simply clone whatever is within the repository.

We’ll use Google for demonstrating purposes.

git clone http://www.google.com

Whatever has been committed to Git would now be cloned onto my machine without the need for authentication. As you can imagine, this is a big no no.

To combat this, there’s a few things we can do.

  • Remove .git from the server altogether and look at deployment tools
  • Move .git out of you public_html/httpdocs folder
  • Add the following line to .htacces RedirectMatch 404 /\.git In any case, it’s worth adding this line to protect yourself from accidentally adding it again in future.