Recently, I read about an innocent mistake committed often by web developers and thought it’d be nice to share it on fossBytes. Developers risk the security of their entire website by exposing their .git folder. This is a recipe for disaster as it keeps all the information at one place. If someone has an access to your .git folder, one can download your entire code repo along with the database passwords, hashes, salts, and the third party API keys, and user data.
As mentioned above this downloadable .git folder contains all the website information and could be easily used to cause some serious damage. The ratio of vulnerable websites was about 1 in every 600 respected website- i.e. about 0.16 percent, which is a very dangerous amount.
It should also be noted that not every .git repo contains sensitive information. Still, out of the large sample set, many websites were hackable using the .git folder as they contained API keys of Amazon AWS or Google Cloud, FTP details to their own server, the hidden folders, or database backups in .SQL files.
How to check if your .git folder is exposed?
How to lock down your .git folder access?
If your .git folder is visible, the ideal way to lock it down is to delete it and look for a better way to deploy your code. Assuming that someone has already downloaded every data, change all the relevant passwords, API keys, hashes or salts.
To prevent your .git folder, you’re able to create a.htaccessfile in each .git directory and deny access, but there are ways to make this global by putting it into the main config file.
you’re able to use the following simple and clean way to hide any file or directory (and return 404) whose name begins with .git. If you put it in theroot htdocs, it does a global job. Take a look:
The above piece of code can go into.htaccessor your server config file. It hides any file or directory whose name begins with.git(e.g. a.gitdirectory or.gitignorefile) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too. Make sure you verify the access to https://www.yourdomainname.com/.git/ after making this change.
Jamie writes on his blog that this could be the “biggest hole in the internet” right now. Please spread the work among the fellow web developers to make the web a safer place.
Also Read:Project Shield: Google Wants to Protect News and Human Rights Websites from DDOS Attack
Image Source:Stackoverflow
Did you find this information helpful? Tell us your views in comments below.
