Take Care of your .Git (folder)

In Light of Japan’s Ebay source code getting leaked!
Some websites host their version control repository (e.g. .git/) in production. Bad people can use tools to download/restore the repository to gain access to your website’s sourcecode. Check your webserver’s configuration now and make sure that it blocks access to these folders.


The fix

Using apache directives, hide access to your file tree
Inside your Options -Indexes

Also restrict access to any files you might not want to be accessed. Here is a directive that restricts access to files that end with .txt and .sql – you can add additional file types by adding another pipe ‘|’ and the file extension (if you include the period you’ll need to escape it).

<Files  ~ "(\.txt|\.sql)$">
          Order allow,deny
          Deny from all

Restrict all hidden files and directories

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]

You may also like...