Exposed .git Directory

How attackers find and exploit it

• Enumerate candidate hosts with mass recon (certificate transparency logs, DNS brute force, port scans) and queue every web origin for a content-discovery sweep.
• Request /.git/HEAD and /.git/config on each origin; a 200 response containing a 'ref:' line or a '[core]' INI section is a near-certain confirmation that the repository is exposed.
• Pull the low-hanging metadata first: /.git/config often discloses the remote origin URL (sometimes with embedded credentials), and /.git/logs/HEAD reveals committer names, emails, and the commit graph.
• Run an automated dumper such as git-dumper or GitTools to walk refs, packed-refs, the index, and the loose object store, then recursively fetch every referenced object even when Apache or Nginx directory listing is turned off.
• Reconstruct the working tree with 'git checkout' from the recovered objects, then grep the source and full history for secrets (API keys, .env values, private keys) and for exploitable application logic to chain into deeper compromise.

How to detect it on your surface

• Inventory every public web origin (apex domains, subdomains, load balancers, legacy hosts) and request /.git/HEAD and /.git/config against each one, treating any non-404 response as a finding to investigate.
• Sweep for sibling version-control metadata at the same time, including /.svn/entries, /.hg/, and /.bzr/, since the same deployment mistake exposes all of them.
• Audit your deployment pipeline: confirm production artifacts are built from a checkout that excludes .git, rather than a raw 'git clone' or 'git pull' into the document root.
• Search web server configuration for an explicit deny rule on dot-git paths and verify it actually returns 403/404 by testing in a staging environment that mirrors production.
• Review reverse proxy and CDN rules, because an origin-level block can be bypassed if a caching tier or alternate vhost serves the path differently.

Detection signals

• /.git/HEAD returns HTTP 200 with a body like 'ref: refs/heads/main' or a 40-character commit hash.
• /.git/config returns 200 with INI sections such as '[core]', '[remote "origin"]', and a 'url =' line.
• A 403 Forbidden (rather than 404 Not Found) on /.git/ indicates the directory physically exists even though listing is blocked, meaning individual files may still be fetchable.
• /.git/logs/HEAD or /.git/index returns binary or structured content, and /.git/objects/pack/ serves .pack and .idx files when directory listing is enabled.

Validate before you report

• Fetch /.git/config and /.git/HEAD and confirm the byte content is genuine git metadata (valid INI structure and a real ref or hash), not a custom error page returning 200.
• Retrieve a single loose object referenced by HEAD and inflate it with zlib to confirm it decompresses into a valid git object header (e.g. 'commit', 'tree', or 'blob' plus a length), proving the object store is live.
• Attempt a controlled, scoped dump of refs and a small number of objects, then run 'git fsck' or 'git checkout' on the recovered repository to prove the source tree actually reconstructs.
• Capture the evidence (HTTP responses, recovered file names, and a redacted snippet of recovered source) and note the exact commit reachable, so the finding is provably a true positive rather than a guessed signature.

What looks like this but isn't

• A wildcard or SPA catch-all route that returns 200 with the app's HTML for every path, including /.git/HEAD, is not an exposure; verify the response is real git metadata, not the index page.
• A directory literally named 'git' (a docs folder, a UI component, or a vanity path) is unrelated; the finding requires the dot-prefixed .git internals such as HEAD, config, and objects to be served.

Remediation

• Immediately block all access to dot-git paths at the web server: in Apache use a 'Require all denied' or LocationMatch rule for (^|/)\.git, in Nginx add 'location ~ /\.git { deny all; return 404; }', and apply the equivalent request-filtering rule in IIS.
• Remove the .git directory from the production document root entirely so a configuration regression cannot re-expose it.
• Rebuild your deployment to ship only build artifacts (for example via CI/CD, rsync with excludes, or container images), never by running 'git clone' or 'git pull' in the web root.
• Treat every secret discoverable in the repository or its history as compromised: rotate database credentials, API keys, tokens, and private keys, and purge them from git history with a tool like git filter-repo so future leaks reveal nothing.
• Add a deny rule for sibling VCS metadata (.svn, .hg, .bzr) and for other sensitive dotfiles (.env, .htpasswd) using the same mechanism.
• Verify the fix in staging and production by confirming /.git/HEAD and /.git/config return 404, then add an automated check to your pipeline so the regression cannot ship again.

Operational checklist

• Maintain a continuously updated inventory of every internet-facing web origin and probe all of them for VCS metadata on a recurring schedule, not just at deploy time.
• Enforce, via a deny rule in a shared base server configuration, that dotfiles and VCS directories are never served, so new sites inherit the protection by default.
• Gate releases with a CI/CD step that fails the build if a .git directory would be included in the deployed artifact.
• Run secret scanning (for example gitleaks or trufflehog) across repositories and history so committed credentials are caught before they can leak through any channel.
• Operate a credential rotation runbook so that any confirmed source-code or metadata exposure triggers prompt revocation and reissue of affected secrets.
• Re-test after every infrastructure or proxy change, since CDN, load-balancer, and vhost reconfiguration can silently reopen a previously closed path.

Weakness references (CWE)

• CWE-527 — Exposure of Version-Control Repository to an Unauthorized Control Sphere
• CWE-538 — Insertion of Sensitive Information into Externally-Accessible File or Directory
• CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor