Many times, people use git repository to host website in productions by clone-push-pull but it has one drawbacks, it appears the .git directory is accessible via the web. How we can prevent this? Here there are 2 ways which are recommended given below;
- One redirects to a 404 aka to issue a 404 (w/ mod_rewrite):
- Redirect it to the domain root
Code Verified in June 2025
To be done in .htaccess in the website main directory
# Safely block all access to .git and related files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (^|/)\.git(/|$) - [F,L]
RewriteRule (^|/)\.gitignore$ - [F,L]
RewriteRule (^|/)\.gitmodules$ - [F,L]
</IfModule>Code language: HTML, XML (xml)Summary Table
| Option | Security | Site works? | SEO Safe | Recommended? |
|---|---|---|---|---|
| Block Only (.git etc.) | ✅ Strong | ✅ Yes | ✅ Yes | ✅ Yes |
| Redirect Everything | ❌ Bad | ❌ No | ❌ No | ❌ No |
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*/)?\.git+ - [R=404,L]
</IfModule>
# Second line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\.git+
# Make .git files and directory web inaccessible
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*/)?\.git+ - [R=404,L]
# Redirect all traffic to the home page
RewriteCond %{REQUEST_URI} !^/$
RewriteRule ^ / [R=301,L]
</IfModule>
# Second line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\.git+
# Redirect all traffic to the home page (if no mod_rewrite)
RedirectMatch 301 ^(.*)$ /
Code language: PHP (php)How to download .git repo from public website?
$ wget --mirror -I .git https://www.domain.com/.git/ --no-check-certificate
$ wget --mirror -I .git https://www.domain.com/.git/Code language: JavaScript (javascript)
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals
But why not deploy .git directory at all, then you can also skip ssh auth on production nightmare, etc.
main.yml
name: Deploy Source Files
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v2
- name: Copy Source Files
run: |
rsync -av --exclude='.git' --exclude='.github' ${{ github.workspace }}/ /path/to/production/server/