Git On Your Web Server: A Security Reminder

Earlier this month, I wrote about managing a Drupal site with git.  What I neglected to remember, of course, is this places a full copy of your git repository within your web server's document root.  This has the potential to expose any data in your git repository -- a malicious attacker could (depending on your configuration) clone the entire repository, thus exposing source code, configuration files, database dumps, and other sensitive data.

Adam Baldwin did an interesting study on exposed repositories, and shows that the problem is widespread, even among very large-scale websites.  He also offers points on how to protect your git repositories, but the Nginx directions didn't exactly work for me.  No matter what I tweaked, I couldn't get "deny all;" to actually deny anyone!  I ended up using "return 403;" and that worked quite well.  You could even return 404 if you wanted to hide the repository entirely.  For completeness, here's my configuration for protecting git:

location ~ /\.git {
    return 403;