How to Secure .git repo repository files and directory web inaccessible

Many times, people use git repository to host website in productions by clone-push-pull but it has one drawbacks, it appears the .git directory is accessible via the web. How we can prevent this? Here there are 2 ways which are recommended given below;

  • One redirects to a 404 aka to issue a 404 (w/ mod_rewrite):
  • Redirect it to the domain root

Code Verified in Nov 2023


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*/)?\.git+ - [R=404,L]
</IfModule>
# Second line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\.git+


# Make .git files and directory web inaccessible
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^(.*/)?\.git+ - [R=404,L]
# Redirect all traffic to the home page
RewriteCond %{REQUEST_URI} !^/$
RewriteRule ^ / [R=301,L]
</IfModule>

# Second line of defense (if no mod_rewrite)
RedirectMatch 404 ^(.*/)?\.git+

# Redirect all traffic to the home page (if no mod_rewrite)
RedirectMatch 301 ^(.*)$ /

How to download .git repo from public website?

$ wget --mirror -I .git https://www.domain.com/.git/ --no-check-certificate
$ wget --mirror -I .git https://www.domain.com/.git/
Rajesh Kumar
Follow me
Subscribe
Notify of
guest
1 Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
RustyNox
RustyNox
8 months ago

But why not deploy .git directory at all, then you can also skip ssh auth on production nightmare, etc.
main.yml

name: Deploy Source Files

on:
 push:
  branches:
   - main

jobs:
 deploy:
  runs-on: ubuntu-latest

  steps:
   - name: Checkout Repository
    uses: actions/checkout@v2

   - name: Copy Source Files
    run: |
     rsync -av --exclude='.git' --exclude='.github' ${{ github.workspace }}/ /path/to/production/server/

1
0
Would love your thoughts, please comment.x
()
x