PSA: Hide your .git/config directory


August 6th, 2015

PSA: Hide your .git/config directory

A lot of developers have horror stories about doing stupid things that cause security issues. A few years ago I was creating an open source app and accidentally committed and pushed up a config file containing my email login and password. It went completely unnoticed until a very nice guy emailed me and told me what I had done. Still to this day I have that weird feeling in my stomach when thinking about it. Major fail!

Of course, uploading sensitive information has been a problem for years and The Guardian ran a story back in 2013 about people using the Github search to find private ssh keys.

Another common security issue is exposing your .git directory on your public sites. Jamie Brown writes that out of 1.5m sites he analyzed, 2,402 have their .git folder exposed and downloadable.

The blog python sweetness wrote in 2013:

According to a quick gevent script, >0.7% of the first 100,000 sites from Alexa’s top 1 million sites are serving their .git directories to the outside world.

The recommended and safest way to deploy apps is to have the document root be a /public directory with all the dot files outside of this so they are not directly accessible from the web. Most frameworks including Laravel are setup this way. But a lot of downloadable apps are not. WordPress is just one example where everything runs from one directory and if you are using it with Git it’s easy to make the mistake of pushing the .git directory to a publicly viewable location.

Chris Cornutt, writer for PHPDeveloper, today tweeted about a package named greedy-git which can be used to analyse remote .git files and find private information from them. With this it’s really easy for someone to find anything private stored in this directory.

Jamie says that:

Some of these .git repositories are harmless, but from a random sample many contain dangerous information that provides a direct vector to attack the site. Hundreds listed database passwords, or included API keys for services such as Amazon AWS or Google Cloud. Others included FTP details to their own web server. Many contained database backups in .SQL files, or the contents of hidden folders that are meant to be restricted.

This appears to be a widespread problem, but the fix is easy. Here are two examples for hiding this directory on nginx and apache:


location ~ /\.git {
deny all;

Apache .htaccess:

RedirectMatch 404 /\.git

If your .git directory has been exposed Jamie recommends you assume that someone has downloaded everything already and work out what they could have seen.

Resources used in this post:

Filed in:

Eric L. Barnes

Eric is the creator of Laravel News and has been covering Laravel since 2012.