Last Updated: February 25, 2016
· magnetikonline

Hide your git on web servers

Deploying your sites via a git pull is the new black these days - which is all cool, but you don't want the public snooping your .git/, .gitignore and .gitmodules areas over your web server.

For nginx, add the following location to your sites managed under this method to 403 such requests:

location ~ "\.git($|/|attributes$|ignore$|modules$)" {
    return 404;

Stay safe!

1 Response
Add your response

Alternatively, it can make sense to init your repo one level above your web server root. Most hostings have the following subdirectories for each virtual host:

cgi-bin   # not accessible via http
tmp        # not accessible via http
www      # web root

Because you may have some scripts (e.g. cron jobs) running outside of www that are also part of the project.

over 1 year ago ·