Question Deny access to .git/config (and other existing Files)

[futureweb]

Hey there,

lately there was an Articel labeled "Massive security problems due to open Git repositories" (Google Translate)
I tried to open some .git/ExistingFile Files on Plesk Hostings on our Servers ... and guess what - all are openly accessible ... (i.e.: https://www.domain.tld/.git/config)

Can we Server-Wide disable accessing Files within .git Directory?
On our non-Plesk Servers I normally got

<DirectoryMatch "^/.*/\.git/">
  Require all denied
</DirectoryMatch>

in Apache Config ... but what's the "Best Practice approach" on Plesk Servers on this?

thx
Andreas

 

[JulianDot]

I wonder why do you have a .git folder in your domain public folder ?

Best practice for the past 10 years or so [for PHP apps at least] is to keep /vendor folder and other important folders and files outside public folder

 

[futureweb]

I wonder why do you have a .git folder in your domain public folder ?

Not quite an answer to the question, but well ... we are a Hosting Provider with several Plesk Servers hosting thousands of Customers, we can't control what and where our Customers store their Data on their Hostings (or force them using Plesk GIT Features ...) - but always trying to minimize potential targets on our Servers / trying to keep our customers as safe as possible ...

 

[JulianDot]

Well, ok then

This remind me of the same situation related to .svn folders years ago
and the solution was the same:
in global Apache config deny all for any .svn folders