Safeey.io
File Exposure

Why an Exposed .git Directory Is a Goldmine for Attackers

The mistake that leaks your whole codebase

When you deploy by copying your project folder to a server, the hidden .git directory often comes along. If the server serves it, anyone can reach https://yoursite.com/.git/ — and that folder contains your entire version history.

What an attacker gets

The .git directory isn't just your current code. It's every commit ever made. Tools like git-dumper can reconstruct the full repository from an exposed .git folder in minutes. That gives an attacker:

  • Your complete source code, ready to audit for vulnerabilities.
  • Secrets you thought you removed — API keys or passwords committed once and "deleted" later still live in the history.
  • Internal comments, TODOs, and architecture details that map your app.

Why "I deleted that key" doesn't save you

Git never forgets. Removing a secret in a later commit doesn't erase it — it's still sitting in an earlier object. If the .git folder is public, so is that old secret.

How to check and fix it

  • Request https://yoursite.com/.git/config. If it returns a config file, your repository is exposed.
  • Never deploy the .git directory. Use a build/deploy pipeline that ships only the built artifact.
  • Configure your web server to deny any request path containing .git.
  • If it was exposed, rotate every credential that ever appeared in your history and consider the code compromised.

Catch it early

Safeey probes for exposed .git directories, source control leaks, and hundreds of other artifacts on every scan. Check your site now.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site