Home / Tools / Block access to .svn and .hg version control directories
Exposed Files · Scan Check Guide

Block access to .svn and .hg version control directories

15 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

Beyond Git, other version control systems (Subversion's .svn, Mercurial's .hg, Bazaar's .bzr) leave similar metadata folders that can expose your source history if they're accidentally left in a public web root — less common than exposed Git repos, but just as revealing when present.

Same risk as an exposed .git directory, for Subversion and Mercurial — anyone who finds it can potentially reconstruct your source code and history.

How to fix it

  1. 1
    Check for other VCS metadata folders
    Visit yoursite.com/.svn/entries or yoursite.com/.hg/ — if either resolves with real content, that VCS metadata is exposed.
  2. 2
    Block access at the server level
    Add a rule denying access to any dotfile/folder pattern (.svn, .hg, .bzr) alongside your .git block.
  3. 3
    Confirm your deployment process excludes them
    Ideally none of these folders ship to production in the first place.

Common mistakes

How you'll know it's done

No version control metadata folders (.svn, .hg, .bzr, or similar) are accessible via direct URL.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →