Make sure you aren’t showing the world your Git folder

Recently on Twitter, I noticed a conversation about an article on The Next Web about a problem with websites exposing their .git folder to the world. The Next Web article is based on the work of Jamie Brown, who tracked 1.5 million sites and found that 1 in 600 of those sites are giving the world access to their Git folder.

This means those sites are exposing their source code, and any sensitive information they’ve stored in their repositories over time, to any one who stumbles upon their Git folder.

One human rights organization Jamie was tracking included a CSV file in a commit with the email and home addresses of their supporters. Anyone who stumbled into their .git folder could download it. Other sites were storing server access keys, database passwords, and encryption salts.

If a site is making this mistake, anyone who navigates to this folder will see this:

Website index with .git directory

1 in 600 may not feel like a huge problem, but if a site you’re working on has a .git folder anyone can navigate to in a browser, it’s a big deal. If you want to test for this mistake, you can try entering http://‌‌ and see if you hit a 404 page or subfolders containing changes tracked in a Git folder.

If you find you’ve been showing the world your Git folder, it’s a good idea to go through everything that was public in this folder and reset passwords and other sensitive security info as soon as possible. Here are a few things you may want to change if you can navigate to your .git folder from a browser:

  • API access info
  • encryption salts
  • server keys
  • database passwords

This can be a devastating issue and it’s pretty simple to fix. When you work on any project, whether or not DeployBot is part of your stack, we think it’s important to shine a light on these kind of problems.

The best way to avoid this problem is to make sure you aren’t cloning your Git folder to your server when you deploy. When you are working on a project where you can’t use DeployBot, or Beanstalk, you can deploy with FTP or use this git push method from Kerrick Long. Be sure you don’t include your .git folder in a public directory.

With DeployBot and Beanstalk you’re automatically covered since we never clone your repository to your server. Instead, when we deploy your code, we copy files that have changed since your last commit to your server. Since we’re not cloning anything to a Git folder on your server, you don’t have to worry about a .git folder showing up on your server.

Our goal as we build DeployBot is to make your entire deployment workflow simple and avoid issues like this when your code goes live. If you haven’t given DeployBot a try yet, head over and signup for your free account now.