Protecting your git repository

19 Jul, 2025

I guess I really wrote this to remind my future self, but putting it on my blog allows me to share the knowledge.

The Problem

Every website is bombarded by bots trying to hack their way in. I can't go through all the possible issues, but one that comes up all the time is the git folder structure.

When you use git to manage your code, and clone to your live web server, there are hidden folders to maintain integrity with future updates. Hackers can prod these folders for known filenames -- this will contain, for example, your email address.

Commercial hosting services generally lock these down, but if you are self-hosting it's worth making sure you are safe.

Checking your site

Trying hitting your website with some git files: (note the . before git)

www.example.com/.git/config
www.example.com/.git/logs/HEAD

If your web server returns anything other than a Not Found, you are exposing yourself.

Closing the door

It depends on the web server software you use. Here are some suggestions for the common three:

apache

in the `.conf` file for the host, add:

for v2.4:

<DirectoryMatch "/\.git">
    Require all denied
</DirectoryMatch>

for v2.2

<DirectoryMatch "/\.git">
    Deny from all
</DirectoryMatch>

And restart the server: sudo systemctl restart apache2

If you are on shared hosting, with no access to the .conf files, edit your .htaccess files and add

RewriteEngine On
RewriteRule ^\.git - [F]

Caddyfile

Edit the domain info in your Caddfile config file and add

respond /.git* 404

Then restart Caddy: sudo systemctl restart caddy

nginx

Edit your .conf file and add

location ~ /\.git {
    return 404;
}

Then restart sudo systemctl restart nginx

Be careful out there kids, it's horrible sometimes.

Leave a Comment; Reply via the Fediverse; or send a message if you have replied with your own blog post and I will mention it here.

#security