In this guide, I will show you how to block access to .git folder.

When you initialize or deploy the Git application, it creates a .git folder that contains sensitive information. If .git folder is accessible over the Internet, it can potentially leak your data.

Here is an example of  data leaking with a security vulnerability scanner like gitjacker

Gitjacker downloads git repositories and extract their contents from sites where the .git directory has been mistakenly uploaded. It will still manage to recover a significant portion of a repository even where directory listings are disabled.

Webservers allow you to block certain files or directories under your document root from being accessed over the web.


To block access to .git folder, add the following to your Nginx server entry.

location ~ /\.git {
deny all;

Now restart Nginx.

systemctl restart nginx


To block access to .git folder, add the following to your httpd.conf file.

<Directorymatch "^/.*/\.git/">
  Order 'deny,allow'
  Deny from all

Now restart the Apache.

RHEL & Centos

systemctl restart httpd

Ubuntu / Debian

systemctl restart apache2

htaccess rule

Open your website root directory and place the next to .htaccess file:

RedirectMatch 404 ^/\.git

The rule will take effect as soon as you save your changes.