Git has many different advantages, but one big security flaw that should be avoided is leaving a readable .git within you httpdocs/public_html.
Let’s say you have a folder structure like below.
/httpdocs -> .git -> css/ -> js/ -> index.php
Leaving a readable .git file will enable anyone to simply clone whatever is within the repository.
We’ll use Google for demonstrating purposes.
git clone http://www.google.com
Whatever has been committed to Git would now be cloned onto my machine without the need for authentication. As you can imagine, this is a big no no.
To combat this, there’s a few things we can do.
- Remove .git from the server altogether and look at deployment tools
- Move .git out of you public_html/httpdocs folder
- Add the following line to .htacces RedirectMatch 404 /\.git In any case, it’s worth adding this line to protect yourself from accidentally adding it again in future.