Hide git folder with .htaccess

Published on — Filed under protip

I've recently been alerted to a very common security hole in many well known web services: exposed .git (or other VCS/sensible) folders.

Ideally, one would never pull code from VCS to deployment machines but rather push... But since changing deployment mechanisms takes its time, here's a duct tape solution:

RedirectMatch 404 "(?:.*)/(?:\.git|file_or_dir)(?:/.*)?$"

Add this one-liner to the .htaccess file on the root of your project and it'll return 404 for all files and folders (and its subfolders) matching the regex.