Restrict your .git directory on live site

Jun 15, 2010 git security
This post is more than 18 months old. Since technology changes too rapidly, this content may be out of date (but that's not always the case). Please remember to verify any technical or programming information with the current release.

Do you use Git to manage your repository? If so, do you use it to check out code onto the server as well? If you do, you really should restrict access to your .git directory if it’s in your public root. (If you’re using things like Zend Framework, chances are your root directory is not your public directory, so you have less to worry about.)

Simply, add the following lines to your apache config:

<directory /full/path/to/public/.git>
  Deny from All
</directory>

This will simply rewrite the request to your home page. No more accessing things like your config file that could potentially hold useful information about your Git repo configuration.

Go to All Posts