Take Care of your .Git (folder)

In Light of Japan’s Ebay source code getting leaked!
Some websites host their version control repository (e.g. .git/) in production. Bad people can use tools to download/restore the repository to gain access to your website’s sourcecode. Check your webserver’s configuration now and make sure that it blocks access to these folders.

https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/

The fix

Using apache directives, hide access to your file tree
Inside your Options -Indexes

Also restrict access to any files you might not want to be accessed. Here is a directive that restricts access to files that end with .txt and .sql – you can add additional file types by adding another pipe ‘|’ and the file extension (if you include the period you’ll need to escape it).

<Files  ~ "(\.txt|\.sql)$">
          Order allow,deny
          Deny from all
        </Files>

Restrict all hidden files and directories

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
</IfModule>

You may also like...