Exposed .git directory on Vercel
Your .git folder is publicly accessible. Tools like `git-dumper` can reconstruct your entire repository from just `/.git/`, including old commits that may contain credentials you removed. This usually happens when a build tool copies the whole project folder to the deployed directory. The fix is to exclude `.git/` from your deployment output and verify it is no longer reachable.
The fix for Vercel
Vercel
Vercel excludes .git automatically. If yours is exposed, your build is explicitly copying it (for example, a `cp -r . build/` step). Audit your build command.
Why it matters
A leaked .git directory is worse than a leaked .env — it gives an attacker every secret you ever committed, even ones you later removed. Git never forgets; removing a file from `main` does not remove it from history.
Confirm the fix worked
Scan your Vercel site to confirm this finding is gone.
AI prompt
Apply across your codebase
Paste this into Cursor, Lovable, Bolt, v0, or Claude Code.
My deployed site has a .git directory accessible at /.git/HEAD. Find out where in my build process .git is being copied into the deployment and remove it. Then help me audit my git history for leaked secrets using `git log --all -p | grep -iE "(key|secret|token|password)"` and list everything that needs rotating.FAQ
Frequently asked questions
- Can I just block /.git via a redirect?
- A redirect alone is weak — the attacker can bypass it. Remove the files from the deployment. Add host-level rules only as defense in depth.
- Should I also check for .svn and .hg?
- Yes. Same attack, different VCS. Block them all.
Related fix guides
Fix these too
Exposed .env file
An exposed .env file is a critical leak — it contains API keys, database URLs, and secrets. Here is why it happens in vibe-coded apps and how to lock it down.
Read moreExposed source maps
Source maps in production let anyone read your original, un-minified source code. Useful in dev, dangerous in prod. Here is how to disable them.
Read moreHardcoded API key in JS
Any secret in your client bundle is public. Here is how to find them, rotate them, and move the calls server-side.
Read moreFree tools