← Scan your domain
Exposed Secrets

.git Directory Exposed

Your entire source code and git history are downloadable - including secrets you committed and later deleted.

critical severity

What is this?

The .git/ directory is git's internal database - it contains your complete commit history, every version of every file, and all your branches. When it's accessible over the web, tools like git-dumper can reconstruct your entire repository from just the URL.

This is especially dangerous because git history doesn't forget. Even if you deleted a secret key from a commit two years ago, it's still in the git history and fully recoverable.

Why it matters

  • Complete source code exposure - your entire codebase, including private business logic
  • Historical secrets - API keys, passwords, tokens committed at any point are recoverable
  • Attack surface mapping - attackers can read your code to find vulnerabilities

How to fix it

  1. Immediately rotate any credentials that have ever been in your git history
  2. Block access to /.git/ in your web server config
  3. Fix your deployment to not serve the project root (same fix as .env exposure)

Providers & tools

Block .git in Nginx:

location ~ /\.git {
    deny all;
    return 404;
}

Block .git in Apache (.htaccess):

RedirectMatch 404 /\.git

Block .git in Caddy:

@dotfiles path */.*
respond @dotfiles 404

Better yet: fix your deployment config so you're only serving the build output directory, not the project root. Vercel and Netlify do this correctly by default.

Check if your domain has this issue

Related problems

Why Are Your Secrets or API Keys Exposed?

More in Exposed Secrets

.env File Exposed API Keys in Page Source