Safe to keep .git directory in web root?
I'm wondering if it's okay keep the .git directory in the web root for a web site.
The permissions of the .git folder and subfolders is 775 and the file are 644.
I suppose I could just set zero permissio开发者_开发知识库ns for the "others" so that they'd also get access denied?
Thanks
You should put a .htaccess
file in the .git
directory containing the following:
Order deny,allow
Deny from all
this way, no one can access the directory.
In general, there is no answer if it is ok or not. If you are making your project open source anyway than there's no real problem with that. But if it is a private project than somebody could take advantage of the object
-directory to get hold of your source codes
If you want to apply a consistent policy, you should regard your .git
directory as private, since your config may have usernames and passwords (for HTTP) and refer to your testing repositories, which presumably one wouldn't want to publicize the locations of. And maybe you don't want people to see all your development history....
A common solution, which doesn't rely on you correctly denying access to the .git
directory, is to create a bare repository with a post-receive
hook that deploys to a directory in your web space. Then you can deploy your latest version just by pushing to that repository. There's a description of how to set that up here, for instance.
精彩评论