Finnian's blog

Software Engineer based in New Zealand

Git directory server vulnerability

August 25, 2016

1-Minute Read

Do you use git to manage your site and or server files? In my opinion, this is undoubtably a good way to run things but you need to make sure it’s secure. Just try going to yoursite.com/.git/config. If you haven’t secured your server properly, you will see the configuration file for your git repository. Not good, huh? Not only could an attacker reveal lots of information about your code base including where the upstream server is, I believe they could possibly get the entire source. This would allow the attacker to see exactly how the site works and be able to exploit it very easily.

Now, the good news. It’s an easy fix!

Here are the two snippets you need for Nginx and Apache respectively to secure your server.

# Nginx
location ~ /\.git {
    return 404;
}

# Apache
RedirectMatch 404 /\.git

Note that I use a 404 error instead of forbidden so that an attacker is fooled into assuming that it genuinely doesn’t exist. A 403 for example, would tell them that it does but is forbidden which may lead to them further attempting to gain access.

Raspberry Pi Swarm Gold DoE Expedition

Finnian's blog

Git directory server vulnerability

Recent Posts

Integrating Facebook's new WYSIWYG editor 'Lexical' with ActionText

From Paperclip to Active Storage at scale

Hotwire in the real world.

View Components, Storybook and Tailwind: The Holy Trinity?

What Happened to My Blog?