Recently while working on a web based project which runs on apache2 on EC2 Linux server, PHP, MySQL, using git as a source version control system(VCS), i was able to access the .git repository from browser like http://example.com/.git/
Why is it bad to keep .git folder on server and accessible on production servers?
When deploying any web based application, we simply clone the repository. Most VCS create a meta folder in the root directory of the project. Like git creates .git folder.
Out of those 1.5m sites, 2,402 have their .git folder exposed and downloadable. That’s 1 in 600 decent respectable sites, or 0.16% of the internet, that is dangerously exposed.
If it is accessible from web, any user can download the complete source code and see all the revision history and past file modifications, also able to see all configuration files if there is any on the server. It gives an attacker ample understanding of code-base and can know about the security flaws or find some severe issues.
How to disallow access to .git directory from website
There are several ways of fixing this problem, listing few of them below
- Delete the .git folder from root directory.
- Move the .git folder to some other location from where it can’t be accessed from browser.
- Don’t allow access to any files that start with DOT using .htaccess file
I choose to go ahead with the last option to not allow access to any hidden files from browser because i don’t want to loose the advantage of git, like simply switching branch or taking updates or doing other related stuff. So i want to keep the .git directory but let user not access it from browser.
In the Linux operating system, a hidden file is any file that begins with a “.”. When a file is hidden it can not been seen with the bare ls command or an un-configured file manager. In most cases you won’t need to see those hidden files as much of them are configuration files/directories for your desktop.
Ideally no hidden file should be accessible from browser, so is git folder as it is`.git`
I was using apache 2, so did it following
- Apache modification
- Enable mode_rewrite in apache, ignore if already enabled.
- Locate httpd.conf file, in my case its located at `/etc/httpd/conf/httpd.con`
- Locate the directory configuration in httpd.conf file, in my case i located for `<Directory “/var/www/html”>` because my source code exist under this folder
- Make sure `AllowOverride All` is set for the directory, to override the configuration using .htaccess file
- Restart the apache server to reflect the changes `sudo service httpd restart`
- Create .htaccess file in project root directory and add below lines.
RewriteEngine On RewriteRule (^|/)\.([^/]+)(/|$) - [L,F] RewriteRule (^|/)([^/]+)~(/|$) - [L,F]
Great! That’s all. Try to access any hidden file folder from browser. it will give forbidden now.