How to prevent serving .git directory on web

Recently while working on a web based project which runs on apache2 on EC2 Linux server, PHP, MySQL, using git as a source version control system(VCS), i was able to access the .git repository from browser like

Why is it bad to keep .git folder on server and accessible on production servers?

When deploying any web based application, we simply clone the repository. Most VCS create a meta folder in the root directory of the project. Like git creates .git folder.

Out of those 1.5m sites, 2,402 have their .git folder exposed and downloadable. That’s 1 in 600 decent respectable sites, or 0.16% of the internet, that is dangerously exposed.

If it is accessible from web, any user can download the complete source code and see all the revision history and past file modifications, also able to see all configuration files if there is any on the server. It gives an attacker ample understanding of code-base and can know about the security flaws or find some severe issues.

How to disallow access to .git directory from website

There are several ways of fixing this problem, listing few of them below

  • Delete the .git folder from root directory.
  • Move the .git folder to some other location from where it can’t be accessed from browser.
  • Don’t allow access to any files that start with DOT using .htaccess file

I choose to go ahead with the last option to not allow access to any hidden files from browser because i don’t want to loose the advantage of git, like simply switching branch or taking updates or doing other related stuff. So i want to keep the .git directory but let user not access it from browser.

In the Linux operating system, a hidden file is any file that begins with a “.”. When a file is hidden it can not been seen with the bare ls command or an un-configured file manager. In most cases you won’t need to see those hidden files as much of them are configuration files/directories for your desktop.

Ideally no hidden file should be accessible from browser, so is git folder as it is`.git`

I was using apache 2, so did it following

  1. Apache modification
    • Enable mode_rewrite in apache, ignore if already enabled.
    • Locate httpd.conf file, in my case its located at `/etc/httpd/conf/httpd.con`
    • Locate the directory configuration in httpd.conf file, in my case i located for `<Directory “/var/www/html”>` because my source code exist under this folder
    • Make sure `AllowOverride All` is set for the directory, to override the configuration using .htaccess file
    • Restart the apache server to reflect the changes `sudo service httpd restart`
  2. Create .htaccess file in project root directory and add below lines.
RewriteEngine On
RewriteRule (^|/)\.([^/]+)(/|$) - [L,F]
RewriteRule (^|/)([^/]+)~(/|$) - [L,F]

Great! That’s all. Try to access any hidden file folder from browser. it will give forbidden now.





How To Set Up Apache Virtual Host on Ubuntu

Apache web server is the most common and popular in web arena. It has an awesome feature of customization and running websites using virtualhosts.

In this article we will know how to setup virtualhost on apache on Ubuntu(14.04 currently i am using). We will setup “” which will actually point to “/home/<username>/sites/”

Before we start we assume you have root access, if necessary. <username> is basically your system user directory.

Step 1: First create a directory where you put all your source code under your home directory(most common place)

sudo mkdir /home/&lt;username&gt;/sites/

Add an index.html(with some content) file under
Step 2: Create a new virtualhost file copying existing file under directory “/etc/apache2/sites-available”

cd /etc/apache2/sites-available
cp 000-default.conf

Set at-least “ServerName” and “DocumentRoot” variable as below

 DocumentRoot /home/&lt;username&gt;/sites/

Step 3: Add a host entry into your host file locate under “/etc/hosts”


sudo vim /etc/hosts

add a line as below

Step 4: Now enable VitrualHost using below command and restart apache

 sudo a2ensite
sudo apachectl restart

Step 5: Open your web browser and hit the url

In case if you get message like “You don’t have permission to access / on this server. “, Please ensure that “” directory permission is set to 0777. Grant the required permission if necessary.