critical Information Disclosure

Exposed .git Directory

The .git directory is publicly accessible, allowing attackers to download your entire source code repository.

Severity
critical
Time to Fix
30 minutes (block) + days (rotate secrets)
Difficulty
easy
OWASP
A01:2021 — Broken Access Control

What is Exposed .git Directory?

When a website is deployed by copying a git repository to the web root without proper configuration, the .git directory becomes web-accessible. An attacker can download /.git/HEAD, /.git/index, and other files to reconstruct the entire repository — including source code, configuration files, database credentials, API keys, and commit history.

Why It Matters to Your Business

An exposed .git directory leaks your entire source code, environment files (.env with database credentials), API keys, and commit history. Attackers use this to find vulnerabilities, steal credentials, and impersonate the site. This is a critical breach that requires rotating ALL secrets immediately.

How to Fix It

Block access to the .git directory at the web server level:

Nginx:
  location ~ /\.git { deny all; return 404; }
  location ~ /\.env { deny all; return 404; }

Apache (.htaccess):
  RedirectMatch 404 /\.(git|env|svn|hg)

Or remove the .git directory from the web root entirely (recommended for production):
  rm -rf /var/www/html/.git

Then rotate ALL credentials found in the repo:
  - Database passwords
  - API keys (Stripe, AWS, GitHub, etc.)
  - JWT secrets
  - OAuth client secrets

Technical Classification

OWASP CategoryA01:2021 — Broken Access Control
CWE IDCWE-538: File and Directory Information Exposure
Detected Byinfo_disclosure scanner(s)
Severity Levelcritical

How 2MNY Security Can Help

Check if your website has this vulnerability

Our info_disclosure scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities