Home  »  ArticlesHow ToTechnologyTools   »   Secure Your Apache Server: Preventing the Serving of .git Directories

Secure Your Apache Server: Preventing the Serving of .git Directories

When setting up a website or web application using the Apache web server, security is paramount. One often overlooked aspect of security is ensuring that sensitive directories, such as .git, are not accessible to the public. Exposing the .git directory can pose significant risks, as it may contain sensitive information like source code, configuration files, and commit history. In this tutorial, we’ll explore how to prevent Apache from serving the .git directory, thus bolstering the security of your web server.

Understanding the Risks

The .git directory is the heart of a Git repository, containing all the information necessary for version control. However, if this directory is accessible via the web server, it exposes sensitive data to potential attackers. They could exploit this access to view source code, identify vulnerabilities, or even extract sensitive information.

Steps to Prevent Apache from Serving .git Directories

Let’s delve into the steps to safeguard your Apache server and prevent it from serving .git directories:

Step 1: Locate Your Apache Configuration Files

Apache’s configuration files are typically found in the /etc/apache2/ directory. The main configuration file is httpd.conf, while additional configuration files are often located in the conf.d/ or sites-available/ directories.

Step 2: Modify Apache Configuration

Open your Apache configuration file using a text editor. Look for the <Directory> directive that specifies the document root or the directory where your website’s files are stored. Within this directive, add the following lines to deny access to .git directories:

<Directory /var/www/html>
    Options -Indexes
    AllowOverride None
    Require all granted
    RedirectMatch 404 /\.git

Replace /var/www/html with the path to your website’s root directory.

Step 3: Restart Apache

After making changes to the Apache configuration, it’s crucial to restart the Apache service to apply the changes. You can do this using the following command:

$ sudo systemctl restart apache2

Verify the Configuration

To ensure that Apache is no longer serving .git directories, attempt to access a .git directory within your website’s directory structure using a web browser or a tool like curl. You should receive a 404 Not Found error, indicating that the directory is not accessible.


By following these steps, you can enhance the security of your Apache web server by preventing the serving of .git directories. This simple yet effective measure helps mitigate the risk of exposing sensitive information and strengthens the overall security posture of your website or web application. Remember to regularly review and update your server configuration to adapt to evolving security threats and best practices. Protecting your server from unauthorized access is an ongoing effort that requires vigilance and proactive measures.

Found this article interesting? Follow Brightwhiz on Facebook, Twitter, and YouTube to read and watch more content we post.

Available under:
Articles, How To, Technology, Tools