Please stop serving .git to the outside world

[wldlyinaccurate]

I recently discovered that I had been serving .git on my blog for a couple of years. All it took to fix was a simple rule in my Nginx config:

    # Don't expose hidden files to the web
    location ~ /\. {
        return 404;
    }

[fohlin]

Though, keep in mind the potential conflict with /.well-known/ - <http://tools.ietf.org/html/rfc5785>.

[hafabnew]

This isn't the best solution. Instead do as others have suggested and make a subdirectory of your project the webserver root.

This solutions just stops nginx (/whatever web server you're using) from displaying the file. If someone finds a remote-file inclusion vulnerability in your app, in all likelihood they can use said vulnerability to browse your .git directory -- because, hey, it's in your webserver directory, so the permissions are almost certainly set up so whatever user the webserver is running as (www-data probably/hopefully) can view it!

(Obviously if your webserver user can view important files such as these elsewhere on the system, you're still screwed -- but reducing attack surface, etc etc.)

[thejosh]

Yep. It's good practice to disallow . files because one time you may forget you put one there.

[jaxbot]

deny all; works too