A .git folder contains your site's entire version history — including old code, past credentials that were later removed, and internal comments. If it's accessible in your public web root, tools exist that can reconstruct your entire source code and history from it automatically.
An exposed .git directory lets anyone download your entire source code, including hardcoded credentials, API keys, and internal system details. A critical and surprisingly common exposure.
https://yoursite.com/.git/config returns a 403 or 404.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →