{"id":13364,"date":"2022-02-01T11:13:50","date_gmt":"2022-02-01T11:13:50","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=13364"},"modified":"2026-02-21T07:23:21","modified_gmt":"2026-02-21T07:23:21","slug":"security-practices-for-using-git-repository-in-production-for-deployment","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/security-practices-for-using-git-repository-in-production-for-deployment\/","title":{"rendered":"How to Secure .git repo repository files and directory web inaccessible"},"content":{"rendered":"\n<p>Many times, people use git repository to host website in productions by clone-push-pull but it has one drawbacks, it appears the .git directory is accessible via the web. How we can prevent this? Here there are 2 ways which are recommended given below;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>One redirects to a 404 aka to issue a 404 (w\/ mod_rewrite):<\/li>\n\n\n\n<li>Redirect it to the domain root<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Code Verified in June 2026 <\/h2>\n\n\n\n<p>To be done in .htaccess in the website main directory<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\"># Safely block all access to .git and related files\n<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">IfModule<\/span> <span class=\"hljs-attr\">mod_rewrite.c<\/span>&gt;<\/span>\n  RewriteEngine On\n  RewriteRule (^|\/).git(\/|$) - &#91;F,L]\n  RewriteRule (^|\/).gitignore$ - &#91;F,L]\n  RewriteRule (^|\/).gitmodules$ - &#91;F,L]\n<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">IfModule<\/span>&gt;<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Summary Table<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Option<\/th><th>Security<\/th><th>Site works?<\/th><th>SEO Safe<\/th><th>Recommended?<\/th><\/tr><\/thead><tbody><tr><td>Block Only (.git etc.)<\/td><td>\u2705 Strong<\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><\/tr><tr><td>Redirect Everything<\/td><td>\u274c Bad<\/td><td>\u274c No<\/td><td>\u274c No<\/td><td>\u274c No<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">&lt;IfModule mod_rewrite.c&gt;\nRewriteEngine On\nRewriteRule ^(.*\/)?.git+ - &#91;R=<span class=\"hljs-number\">404<\/span>,L]\n&lt;\/IfModule&gt;\n<span class=\"hljs-comment\"># Second line of defense (if no mod_rewrite)<\/span>\nRedirectMatch <span class=\"hljs-number\">404<\/span> ^(.*\/)?.git+\n\n\n<span class=\"hljs-comment\"># Make .git files and directory web inaccessible<\/span>\n&lt;IfModule mod_rewrite.c&gt;\nRewriteEngine On\nRewriteRule ^(.*\/)?.git+ - &#91;R=<span class=\"hljs-number\">404<\/span>,L]\n<span class=\"hljs-comment\"># Redirect all traffic to the home page<\/span>\nRewriteCond %{REQUEST_URI} !^\/$\nRewriteRule ^ \/ &#91;R=<span class=\"hljs-number\">301<\/span>,L]\n&lt;\/IfModule&gt;\n\n<span class=\"hljs-comment\"># Second line of defense (if no mod_rewrite)<\/span>\nRedirectMatch <span class=\"hljs-number\">404<\/span> ^(.*\/)?.git+\n\n<span class=\"hljs-comment\"># Redirect all traffic to the home page (if no mod_rewrite)<\/span>\nRedirectMatch <span class=\"hljs-number\">301<\/span> ^(.*)$ \/\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<script src=\"https:\/\/gist.github.com\/devops-school\/04caa8be4776414e57a04e3e9b01d762.js\"><\/script>\n\n\n\n<h2 class=\"wp-block-heading\">How to download .git repo from public website?<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">$ wget --mirror -I .git https:<span class=\"hljs-comment\">\/\/www.domain.com\/.git\/ --no-check-certificate<\/span>\n$ wget --mirror -I .git https:<span class=\"hljs-comment\">\/\/www.domain.com\/.git\/<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>","protected":false},"excerpt":{"rendered":"<p>Many times, people use git repository to host website in productions by clone-push-pull but it has one drawbacks, it appears the .git directory is accessible via the&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[6083],"tags":[],"class_list":["post-13364","post","type-post","status-publish","format-standard","hentry","category-devsecops"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/13364","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=13364"}],"version-history":[{"count":7,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/13364\/revisions"}],"predecessor-version":[{"id":58812,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/13364\/revisions\/58812"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=13364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=13364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=13364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}