Blocking .svn and .git Directories on Apache or IIS

October 15, 2013
web

One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public .git/ or .svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.

Blocking .svn and .git Directories on Apache

Just add the following to your .htaccess or httpd.conf file:

RedirectMatch 404 (?i)\.git
RedirectMatch 404 (?i)\.svn

Or if you want to block all hidden directories (probably not a bad idea) you can do this:

RedirectMatch 404 (?i)/\..+

Blocking on IIS

On IIS7+ you can use the awesome request filtering feature to accomplish this, the most appropriate way to do this would probably be with the hiddenSegement feature. You can do this using the GUI or in your web.config file as follows:

<configuration>
   <system.webServer>
      <security>
         <requestFiltering>
            <hiddenSegments>
               <add segment=".git" />
               <add segment=".svn" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>


Related Entries

This entry was:

Comments

Hi, yup this paragraph Blocking .svn and .git Directories on Apache or IIS is really nice and I have learned lot of things from it concerning blogging. thanks.
mont blanc ballpoint pens http://www.mikvehminder.com/

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?