Critical severity

How to fix an exposed .git directory

Your .git folder is publicly accessible. Tools like `git-dumper` can reconstruct your entire repository from just `/.git/`, including old commits that may contain credentials you removed. This usually happens when a build tool copies the whole project folder to the deployed directory. The fix is to exclude `.git/` from your deployment output and verify it is no longer reachable.

Why it matters

A leaked .git directory is worse than a leaked .env — it gives an attacker every secret you ever committed, even ones you later removed. Git never forgets; removing a file from `main` does not remove it from history.

How to check

  1. 01Open `https://your-site.com/.git/HEAD` in a browser.
  2. 02If you see text like `ref: refs/heads/main`, your .git is exposed.
  3. 03Try also `/.git/config` and `/.git/index`.

Or let SafeToShip check it for you in 60 seconds:

How to fix it

Vercel

Vercel excludes .git automatically. If yours is exposed, your build is explicitly copying it (for example, a `cp -r . build/` step). Audit your build command.

Generic hosts

Add .git/ to your host's ignore list, redeploy, and if your host supports it, add a URL rule blocking /.git/*. On nginx, add `location ~ /\.git { deny all; }`.

# nginx
location ~ /\.git { deny all; return 404; }

AI prompt

Copy-paste into your AI tool

Paste this prompt into Cursor, Lovable, Bolt, v0, or Claude Code and it will walk through the fix for your specific codebase.

My deployed site has a .git directory accessible at /.git/HEAD. Find out where in my build process .git is being copied into the deployment and remove it. Then help me audit my git history for leaked secrets using `git log --all -p | grep -iE "(key|secret|token|password)"` and list everything that needs rotating.

FAQ

Frequently asked questions

Can I just block /.git via a redirect?
A redirect alone is weak — the attacker can bypass it. Remove the files from the deployment. Add host-level rules only as defense in depth.
Should I also check for .svn and .hg?
Yes. Same attack, different VCS. Block them all.

Related fix guides

Fix these too

Exposed .env file

An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.

Read more

Exposed source maps

Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.

Read more

Hardcoded API key in JS

Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.

Read more

Free tools

Check this yourself

Exposed files checker

Find .env, .git, and other sensitive files before attackers do.

Read more

Platform guides

Building on these platforms?

Lovable security

Lovable makes it easy to ship fast, but AI-generated backends often ship with open Supabase tables and leaked API keys. Scan your Lovable app before your users find out.

Read more

Bolt security

Bolt generates full-stack apps in seconds, but speed can leave security gaps. Exposed environment files and missing CORS configuration are common in Bolt projects.

Read more

Vercel security

Vercel handles hosting and SSL, but your application code still needs security hardening. Missing CSP headers and exposed environment variables are the top issues.

Read more

Scan your site for this and 50+ other issues

Free scan. Results in 60 seconds. No account required.