.git directories should not be exposed

Description

The issue is explained here http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/ and, while we don't have any .git directory exposed (last checked today), it makes sense to ensure that even if a developer or our automation was to deploy an app/website with a .git directory, that it would be blocked and not exposed.

Environment

None

Activity

Show:

Alan Harnum October 14, 2015 at 7:50 PM

Generally speaking I think blocking public web server access to any dotfiles by default is a good practice, so I'm all in favour of this.

Giovanni Tirloni October 14, 2015 at 5:44 PM
Edited

Deployed to websites in production. No issues found so far, works as expected.

Giovanni Tirloni October 14, 2015 at 5:28 PM

I've modifed the staticsite and phpsite roles to include the following in the nginx configuration template:

location ~ /\.(git|htaccess) {
deny all;
}

Added .htaccess to in the mix even though we're not using Apache, since sometimes .htaccess contains sensitive data and could have been carried over from another deployment.

Resize issue view side panel

Fixed

Details
Assignee
Giovanni Tirloni
Reporter
Giovanni Tirloni
Priority
Major

Created October 14, 2015 at 5:20 PM

Updated August 23, 2016 at 1:44 PM

Resolved August 23, 2016 at 1:44 PM

.git directories should not be exposed

Description

Environment

Activity

Alan Harnum October 14, 2015 at 7:50 PM

Giovanni Tirloni October 14, 2015 at 5:44 PMEdited

Giovanni Tirloni October 14, 2015 at 5:28 PM

DetailsAssigneeGiovanni TirloniGiovanni TirloniReporterGiovanni TirloniGiovanni TirloniPriorityMajor

Details

Assignee

Reporter

Priority

Giovanni Tirloni October 14, 2015 at 5:44 PM
Edited

Details
Assignee
Giovanni Tirloni
Reporter
Giovanni Tirloni
Priority
Major