Critical severity

Exposed `.git` Directory

A publicly reachable `/.git/` directory exposes your entire source code, commit history, configuration, and anything committed by mistake.

Business risk

Anyone can clone the whole repository with `git-dumper` or `wget --mirror`. That means every line of your backend source, internal API routes not linked from the frontend, hardcoded credentials from early commits (AWS keys, database passwords, JWT secrets that may still be valid), and any commit message that mentions an unpatched vulnerability. Exposed `.git` is a recurring top-10 finding in breach post-mortems because the source gives attackers a roadmap for everything else.

Technical details

Remediation order matters. Block the directory at the web server first, then rotate every credential that appears anywhere in the history, then decide whether the exposure window requires customer notification. Deleting the `.git` folder from the server does not help anyone who cloned it while it was exposed. Assume the worst and rotate.

How to detect it

Probe the two canonical files. A `200 OK` with content on `/.git/HEAD` or `/.git/config` is an immediate critical finding. A `403 Forbidden` still confirms the directory exists and may be partially reachable. Only `404` or a generic error page is safe.

Probe HEAD (most common leak path)

curl -sI https://yourdomain.com/.git/HEAD

Probe config (often readable even if HEAD 403s)

curl -s https://yourdomain.com/.git/config

Simulate a full dump

pip install git-dumper && git-dumper https://yourdomain.com/.git ./cloned  # test on your own site only

Common pitfalls

Returning `403` instead of `404`. 403 confirms the directory exists, which encourages deeper probing. Return 404 to make the path look like any other missing route.
Deleting `.git` from the server but not rotating credentials. Scrapers cache the repo. Assume the worst and rotate every secret in the history.
Blocking `/.git` but leaving `/.svn/`, `/.hg/`, `/.bzr/`, or `/CVS/` reachable. Attackers run the same playbook on every VCS directory.
Only blocking at the application layer. A misconfiguration of the reverse proxy or a fallback to static serving can bypass the app. Block at the outermost web server.
Forgetting deployed subdirectory apps. A single staging app at `/staging/` with an exposed `.git` leaks the whole source. Recursive checks are mandatory.

Remediation guide

Returns 404 (not 403) to avoid confirming existence.

location ~ /\.git {
    deny all;
    return 404;
    access_log off;
    log_not_found off;
}

nginx

External references

Frequently asked questions

How do I know if it was already cloned?

You usually cannot be certain. Check web server access logs for requests matching `/.git/*` from unfamiliar user agents. Assume cloning happened and rotate every secret that appears anywhere in the commit history.

What do attackers actually do with a cloned .git?

They grep for credentials in commit history (AWS keys, database URLs, API tokens), read internal API route definitions, look for unpatched vulnerability references in commit messages, and use the blame/log to identify active developers for spear-phishing.

My site is behind Cloudflare. Am I safe?

Only if Cloudflare is proxying (orange cloud) and you have a WAF rule blocking `/.git/*`. If your origin IP is discoverable, attackers can bypass Cloudflare entirely. Add origin-side blocking too.

Keep going

Related guide

Exposed `.env` File

Critical severity · Exposure

Related guide

Server Information Leakage

Low severity · Misc

Related guide

Insecure Cookies

Medium severity · Cookies

Free tool

security.txt Checker

Make it obvious how to report vulnerabilities - the RFC 9116 way.

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

Business risk

Technical details

How to detect it

Probe HEAD (most common leak path)

curl -sI https://yourdomain.com/.git/HEAD

Probe config (often readable even if HEAD 403s)

curl -s https://yourdomain.com/.git/config

Simulate a full dump

pip install git-dumper && git-dumper https://yourdomain.com/.git ./cloned  # test on your own site only

Common pitfalls

Returning `403` instead of `404`. 403 confirms the directory exists, which encourages deeper probing. Return 404 to make the path look like any other missing route.

Deleting `.git` from the server but not rotating credentials. Scrapers cache the repo. Assume the worst and rotate every secret in the history.

Blocking `/.git` but leaving `/.svn/`, `/.hg/`, `/.bzr/`, or `/CVS/` reachable. Attackers run the same playbook on every VCS directory.

Only blocking at the application layer. A misconfiguration of the reverse proxy or a fallback to static serving can bypass the app. Block at the outermost web server.

Forgetting deployed subdirectory apps. A single staging app at `/staging/` with an exposed `.git` leaks the whole source. Recursive checks are mandatory.

Frequently asked questions

How do I know if it was already cloned?

What do attackers actually do with a cloned .git?

My site is behind Cloudflare. Am I safe?

Only if Cloudflare is proxying (orange cloud) and you have a WAF rule blocking `/.git/*`. If your origin IP is discoverable, attackers can bypass Cloudflare entirely. Add origin-side blocking too.