Home / Tools / Block public access to .git directories and version control files
Exposed Files · Scan Check Guide

Block public access to .git directories and version control files

15 min Impact: high Effort: low ✓ Scan-verified — no manual checkbox

A .git folder contains your site's entire version history — including old code, past credentials that were later removed, and internal comments. If it's accessible in your public web root, tools exist that can reconstruct your entire source code and history from it automatically.

An exposed .git directory lets anyone download your entire source code, including hardcoded credentials, API keys, and internal system details. A critical and surprisingly common exposure.

How to fix it

  1. 1
    Check exposure
    Visit https://yoursite.com/.git/config — if it returns real content, your repository is exposed.
  2. 2
    Block access at the server level
    Add a rule denying access to any dotfile/folder (.git, .svn, etc) in your server config — a few lines covers this permanently.
  3. 3
    Confirm your deployment process doesn't publish .git at all
    Ideally .git never ships to your production server in the first place — check your deploy script or CI pipeline excludes it.
  4. 4
    Rotate any credentials found in your git history
    If exposed, assume anyone could have downloaded your full commit history, including any secrets ever committed and later "removed."

Common mistakes

How you'll know it's done

https://yoursite.com/.git/config returns a 403 or 404.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →