Metadata
- Source
- INFRA-48
- Type
- Bug
- Priority
- Major
- Status
- Closed
- Resolution
- Fixed
- Assignee
- Giovanni Tirloni
- Reporter
- Giovanni Tirloni
- Created
2015-10-14T13:20:54.790-0400 - Updated
2016-08-23T09:44:44.418-0400 - Versions
- N/A
- Fixed Versions
- N/A
- Component
- N/A
Description
The issue is explained here http://www.jamiembrown.com/blog/one-in-every-600-websites-has-git-exposed/ and, while we don't have any .git directory exposed (last checked today), it makes sense to ensure that even if a developer or our automation was to deploy an app/website with a .git directory, that it would be blocked and not exposed.
Comments
-
Giovanni Tirloni commented
2015-10-14T13:28:26.890-0400 I've modifed the staticsite and phpsite roles to include the following in the nginx configuration template:
location ~ /\.(git|htaccess) {
deny all;
}Added .htaccess to in the mix even though we're not using Apache, since sometimes .htaccess contains sensitive data and could have been carried over from another deployment.
-
Giovanni Tirloni commented
2015-10-14T13:44:56.458-0400 Deployed to websites in production. No issues found so far, works as expected.
-
Alan Harnum commented
2015-10-14T15:50:14.253-0400 Generally speaking I think blocking public web server access to any dotfiles by default is a good practice, so I'm all in favour of this.