We earn commission when you buy through affiliate links.
This does not influence our reviews or recommendations.Learn more.
Dont expose the .git folder, which may contain sensitive information.
When you initialize and deploy your software through Git, it creates a.gitfolder that contains necessary information.
If.gitfolder is accessible through a webserver or frontend over the Internet, it can potentially leak sensitive data.
Worse, if you have credentials stored in some configuration file.
Use thesetoolsto find credentials in the GitHub repository.
Gitjacker is more than detecting the .git directory.
It downloads the entire directory.
There are multiple ways to handle this.
You may choose not to keep.gitfolder on the server or block any request.
And this would return the HTTP status code as 404 as below.
Whatever you choose, dont forget to restart the Nginx after making the configuration change.
Apache HTTP
Lets see how to block.gitin the Apache webserver.
you’ve got the option to useRedirectMatchorDirectoryMatchto achieve this.
Using RedirectMatch is probably the easiest one.
You just need to add the following inhttpd.confor.htaccessfile.
The above would throw 404 when someone accesses .git, and the following will show 403.
Next, lets try using the DirectoryMatch rule by adding the following inhttpd.conffile.
Restart the Apache and enter the URL, including .git; it will show 403 Forbidden error.
Cloudflare
This is my favorite.
Block the request at the edge!
It will take around 1 minute to propagate the rule across all Cloudflare datacenters.
Once done, Cloudflare will do the rest.
Otherwise, an attacker canbypass Cloudflareto access .git files.
Conclusion
I hope the above helps you to mitigate the risk of exposing the .git directory.
