Don’t make your .git folder publicly accessible, hacker can steal your source code
Have you ever realized the danger of a publicly accessible .git folder?
There are some developers who deploy their app to production using pure git clone method. They clone their app repository from gitlab/github/bitbucket directly to a web-root facing folder on server like /var/www/app/. That makes the .git folder exist in /var/www/app/.git.
If you don’t have proper permission to that .git folder, it will be accessible to the public. Like this:
And then hacker can download your .git folder using:
$ wget -c -r -np -R "index.html*" https://example.com/.gitAfter downloaded, it’s just an empty folder with .git folder on it. It also has all commit history.
Hacker can reset to latest commit to restore the source code files.
$ git commit reset --hard HEAD
And boom, your source code is leaked!
Here is how to mitigate it:
Add/edit your .htaccess file to make the .git folder hidden
RewriteEngine on
RewriteRule .*\.git/.* - [404]Why use 404 not found instead of 403 forbidden?
Hacker doesn’t even know if the .git folder exists, it’s 404. But if it’s 403 forbidden, hacker knows there is .git folder, only not accessible.
Hope it helps.
Salam.
