The Power of a Single Line: Securing Your Website with RedirectMatch 404 /\.git

In the world of web development and server administration, security is never optional. One small misconfiguration could expose sensitive data, especially when using popular version control systems like Git. One such vulnerability is accidentally exposing the .git directory on your public-facing server.

Fortunately, there's a simple yet powerful solution that can protect your project from this mistake:

RedirectMatch 404 /\.git

🔒 Why .git Should Never Be Public

The .git folder contains the entire history of your codebase. If exposed, attackers can:

• Download the full source code including sensitive business logic or API keys.
• Enumerate commits to discover removed files or secrets.
• Check out previous versions or security patches.
• Identify team members from commit metadata (emails, names).

Exposing this folder is the digital equivalent of leaving your master key taped to your front door.

🧾 What Does RedirectMatch 404 /\.git Actually Do?

This directive tells Apache to match any request that contains .git and immediately return a 404 Not Found response. Here’s the breakdown:

• RedirectMatch is a flexible redirect mechanism using regular expressions.
• 404 means “Not Found” – not just blocked, but pretending the resource doesn’t exist.
• /\.git is a regex that matches anything beginning with .git (like /project/.git, /api/.git/config, etc.).

✅ Benefits:

• Lightweight: No need for complex rewrite rules or .htaccess gymnastics.
• Foolproof: Blocks the entire .git directory and subpaths.
• Safe: Doesn't rely on potentially incorrect directory permissions.

🛠️ Where to Place This Rule

You can place this line in your:

• .htaccess file (if AllowOverride All is enabled),
• Apache virtual host config,
• Global Apache configuration file (httpd.conf or apache2.conf).

Example for .htaccess:

<IfModule mod_rewrite.c>
    RedirectMatch 404 /\.git
</IfModule>

🔎 Other Security Considerations You Might Be Missing

While blocking .git is crucial, it’s just the tip of the iceberg. Here are more folders and files you should secure or restrict:

🧷 Other Common Sensitive Paths:

RedirectMatch 404 /\.svn       # Subversion
RedirectMatch 404 /\.hg        # Mercurial
RedirectMatch 404 /\.bzr       # Bazaar
RedirectMatch 404 /\.env       # Laravel and other frameworks
RedirectMatch 404 /composer\.(json|lock)
RedirectMatch 404 /package\.json
RedirectMatch 404 /yarn\.lock
RedirectMatch 404 /config\.php
RedirectMatch 404 /php\.ini
RedirectMatch 404 /vendor

These often contain configuration, credentials, or libraries that should never be exposed publicly.

📋 Bonus: Testing Your Setup

After applying these rules, test them:

curl -I https://yourdomain.com/.git/config

You should see:

HTTP/1.1 404 Not Found

If you still get a 200 OK or see content, your protection is not working. Check:

• If .htaccess is enabled (AllowOverride All),
• If Apache modules (mod_alias, mod_rewrite) are enabled,
• If the server is Nginx (Apache rules don’t apply there).

🧱 Nginx Equivalent

If you're using Nginx instead of Apache, use this in your server block:

location ~ /\.git {
    return 404;
}

🧠 Finally

Security is often a game of layers, and no single line of code will protect everything. But small lines like:

RedirectMatch 404 /\.git

can dramatically reduce your attack surface. In today’s internet, assuming your server is safe by default is dangerous. Instead, take a proactive stance and close every loophole, starting with the low-hanging fruit.

Remember: Security isn't just about hiding secrets—it's about making sure they were never exposed in the first place. ✅

Support Us