← All checks

Exposed .git Directory

High severity

What is this?

The .git folder is the heart of your Git repository. It contains every commit, every branch, every file that was ever tracked - including files you deleted and credentials you removed in later commits. When this folder is accessible on your production web server, attackers can download and reconstruct your entire codebase with full history.

Why it happens

The most common cause is deploying your project by copying the entire directory to the server, including the .git folder. This happens with cp -r, rsync without an exclude flag, COPY . /app in a Dockerfile, or FTP upload of your project folder. Proper build tools and deployment pipelines only copy build artifacts, not the source repository.

What's at risk

Tools like git-dumper can reconstruct a full working repository from an exposed .git directory. This exposes your complete source code, internal API endpoints, business logic, comments with internal context, and any secret that was ever committed - even if you removed it later. Git history is permanent, and a single exposed commit can contain database credentials, API keys, or private signing keys.

How to check

Visit this URL in your browser:

https://yoursite.com/.git/config

If you see content starting with [core], your .git directory is exposed. A 404 or access denied response means you are safe. You should also check .git/HEAD to confirm whether it returns a real git reference.

How to fix

Block access to the .git directory at the web server level and remove it from production.

Nginx:

location ~ /\.git {
    deny all;
    return 404;
}

Remove .git from production:

rm -rf /var/www/yoursite/.git

Docker - exclude .git:

# .dockerignore
.git

The best practice is to use deployment tools that only copy build output, never the source repository. If you deploy with rsync, add --exclude='.git' to your command.

How Preflyt detects it

Preflyt checks for /.git/config and /.git/HEAD, verifying the response contains actual git configuration markers like [core] or ref: refs/ rather than an error page or HTML content from client-side routing.

Frequently asked questions

Can attackers reconstruct my source code from .git?

Yes. Tools like git-dumper can download .git objects from your server and reconstruct a fully working repository with all branches, commits, and file history. This includes files you deleted and secrets you removed in later commits.

Does .gitignore protect the .git folder?

No. .gitignore only controls what Git tracks inside your repository. It has no effect on what your web server serves to the public. Protecting .git requires web server configuration (like Nginx deny rules) or removing the folder from your production deployment entirely.

How do I remove .git from a live server?

Run rm -rf /path/to/webroot/.git on the server. Then add a web server rule to block future access. For Docker deployments, add .git to your .dockerignore file.

Related checks

Exposed .env FilesDatabase passwords and API keys served publicly.Unprotected Admin PanelsAdmin dashboards accessible without authentication.
Check your site now

Free scan. No signup required.