Pete Freitag Pete Freitag

Blocking .svn and .git Directories on Apache or IIS

Updated on November 15, 2023
By Pete Freitag

One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public .git/ or .svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.

Blocking .svn and .git Directories on Apache

Just add the following to your .htaccess or httpd.conf file:

RedirectMatch 404 (?i)\.git
RedirectMatch 404 (?i)\.svn

Or if you want to block all hidden directories (probably not a bad idea) you can do this:

RedirectMatch 404 (?i)/\..+

Blocking on IIS

On IIS7+ you can use the awesome request filtering feature to accomplish this, the most appropriate way to do this would probably be with the hiddenSegement feature. You can do this using the GUI or in your web.config file as follows:

               <add segment=".git" />
               <add segment=".svn" />

svn git security apache iis subversion

Blocking .svn and .git Directories on Apache or IIS was first published on October 15, 2013.

If you like reading about svn, git, security, apache, iis, or subversion then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).


Working on some new CF2018 servers that had the lockdown tool run on them,
noticed the redirect matches for git and svn were blocking any file or path containing those strings, so RedirectMatch 404 (?i).*.git.* was 404 redirecting for /digital.gif or /digital/index.htm for example, just FYI.
by Chris on 04/27/2021 at 8:07:51 AM UTC
@Chris - looks like they are not escaping to dot in the pattern, which makes the dot behave like a wildcard and not a literal dot/period.

Take a look at my blog entry above and notice mine has a slash before the dot.
by Pete Freitag on 04/27/2021 at 1:12:51 PM UTC
@Pete, thanks yes I added slashes today, just commenting here because the rule I pasted was auto generated by the lockdown tool, in case anyone else has the same problem.
by Chris on 04/27/2021 at 1:32:17 PM UTC