highInfrastructure

Git Directory Accessible via Web Server

What Is This Vulnerability?

When the .git directory is accessible through a web server, attackers can download the entire repository history, including source code, configuration files, and secrets that were committed at any point. Even files that were later deleted or overwritten in the repository remain in the Git history and can be recovered by the attacker.

Why It Happens

Web servers configured to serve static files from the project root will serve the .git directory by default unless explicitly blocked. This commonly happens with simple deployment methods like rsync or FTP that copy the entire project, including hidden directories. Docker builds that copy the full project context without a proper .dockerignore also include .git.

Example Code

Vulnerablenginx.conf
server {
    listen 80;
    server_name example.com;
    root /var/www/html;

    location / {
        try_files $uri $uri/ /index.html;
    }
}
Fixednginx.conf
server {
    listen 80;
    server_name example.com;
    root /var/www/html;

    location ~ /\.git {
        deny all;
        return 404;
    }

    location ~ /\. {
        deny all;
        return 404;
    }

    location / {
        try_files $uri $uri/ /index.html;
    }
}

How Hackers Exploit It

Attackers check for /.git/HEAD on websites as a standard reconnaissance step. If accessible, they use tools like git-dumper to reconstruct the full repository. This reveals source code, hardcoded credentials, API keys, database passwords, internal documentation, and deployment scripts. Even previously deleted secrets are recoverable from commit history.

How to Fix It

Block access to all hidden files and directories (those starting with a dot) in your web server configuration. Add .git to your .dockerignore when building images. Use deployment methods that only copy built artifacts, not the entire repository. Regularly scan your public-facing servers for exposed .git directories using tools like git-dumper or nuclei.

Frequently Asked Questions

How can I check if my .git directory is exposed?
Navigate to your website's URL and append /.git/HEAD. If you see a response containing 'ref: refs/heads/main' or similar, your .git directory is exposed. You can also use tools like nuclei with the exposed-git template or manually check with curl. Test all subdomains and alternate domains as well.
What should I do if my .git was already exposed?
Immediately block access to the .git directory. Then rotate all secrets, API keys, and passwords that were ever present in the repository history. Review git log for any sensitive data committed at any point, not just what is in the current branch. Assume all historical contents have been compromised.
Does .gitignore prevent .git directory exposure?
No. The .gitignore file controls what Git tracks, not what your web server serves. The .git directory itself is always part of a Git repository. You must configure your web server to deny access to .git and other hidden directories, and ensure your deployment process excludes the .git folder.

Related Security Topics

Overly Permissive AWS IAM Policies

Learn about overly permissive aws iam policies and how to fix it.

Debug Mode Enabled in Production

Learn about debug mode enabled in production and how to fix it.

Admin Panel Accessible Without Authentication

Learn about admin panel accessible without authentication and how to fix it.

Check Your Code for This Vulnerability

Run a free scan to check if your site is affected by git directory accessible via web server.