Exposed .git Directory
The .git directory is publicly accessible, allowing attackers to download your entire source code repository.
What is Exposed .git Directory?
When a website is deployed by copying a git repository to the web root without proper configuration, the .git directory becomes web-accessible. An attacker can download /.git/HEAD, /.git/index, and other files to reconstruct the entire repository — including source code, configuration files, database credentials, API keys, and commit history.
Why It Matters to Your Business
An exposed .git directory leaks your entire source code, environment files (.env with database credentials), API keys, and commit history. Attackers use this to find vulnerabilities, steal credentials, and impersonate the site. This is a critical breach that requires rotating ALL secrets immediately.
How to Fix It
Block access to the .git directory at the web server level:
Nginx:
location ~ /\.git { deny all; return 404; }
location ~ /\.env { deny all; return 404; }
Apache (.htaccess):
RedirectMatch 404 /\.(git|env|svn|hg)
Or remove the .git directory from the web root entirely (recommended for production):
rm -rf /var/www/html/.git
Then rotate ALL credentials found in the repo:
- Database passwords
- API keys (Stripe, AWS, GitHub, etc.)
- JWT secrets
- OAuth client secrets
Technical Classification
| OWASP Category | A01:2021 — Broken Access Control |
| CWE ID | CWE-538: File and Directory Information Exposure |
| Detected By | info_disclosure scanner(s) |
| Severity Level | critical |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our info_disclosure scanner checks for this issue automatically.
Scan My Website Free