I have a website that I use github (closed source) to track changes and update site. The only problem is, it appears the .git directory is accessible via the web. How can I stop this and still be able to use git?

Should I use .htaccess? Should I change permissions of .git?

Create a .htaccess file in the .git folder and put the following in this file:

Order allow,deny
Deny from all

Put this in an .htaccess file at the root of your web server:

RedirectMatch 404 /\.git

This solution is robust and secure: it

• works for all .git directories in your site, even if there are more than one,
• also hides other Git files like .gitignore and .gitmodules
• works even for newly-added .git directories, and
• doesn't even give away the fact that the directories exist.

Both .htaccess and permissions on the .git/ folder would work. I recommend the former:

<Directory .git>
    order allow,deny
    deny from all
</Directory>

I didn't want to muck around in the .git directory and wasn't able to get Bennett's solution to work on Apache 2.2, but adding the following to my <VirtualHost> configuration worked:

RewriteRule ^.*\.git.* - [R=404]

mod_rewrite will give you the desired affect:

RewriteEngine on
RewriteRule .*\.git/.* - [F]

I'm not comfortable with controlling access to my .git folders individually and choose to do it via apache config instead of .htaccess, to prevent me overwriting them, or forgetting on a new install etc.

Here are some detailed instructions hope they help. I'm using Ubuntu 16.10.

1. First check what happens if you navigate to the .git folder in a browser. In my case I was presented with a directory listing. If you are seeing what you shouldn't be seeing (ie. you're not getting a 404), do the following.
2. Use apache2ctl -V to get the HTTPD_ROOT and SERVER_CONFIG_FILE
3. Use this to edit your apache config, in my case $ sudo nano /etc/apache2/apache2.conf
4. Add the following somewhere in the config file: RedirectMatch 404 /.git
5. Restart apache: $ sudo service apache2 restart
6. Should now get you a 404 if you navigate to the folder again
7. I tried this with .gitignore and also got a 404

A more robust and simple option would be disabling the READ and Execution permission of the .git directory.

Since mostly Apache (httpd) runs under a special user account, for example, it runs as user apache on CentOS, while the .git directory must be created under a real user account, so we can simply block the access by changing the permission. Moreover, this approach doesn't introduce any new file, nor affect the git commands.

The command can be:

chmod -R o-rx .git