Security: Blocking SVN/Git files with LightTPD and Apache

Shaun, Mar 4 If you use a source control management solution like SVN or Git for your web applications like we do, you know how awesome it is to deploy changes on a production server.

You can simply run svn up or git pull to update your web server with the latest revision of your app.

There's a huge security risk involved here though. Using the standard Apache or LightTPD setup, all of the files in the .svn or .git directories, are available to download.

SVN Example

You have your app running out of /home/example.com/html/
Let's say, the user wants the source code of your index.php file, all they would need to do is go to this URL:
http://example.com/.svn/text-base/index.php.svn-base That's it, there's your source code.

Git Example

Git can be even more dangerous depending on your setup (specifically, if they can browse directory listings). If they can download your .git directory, they now have a branch of your repository.


So how do I protect myself from this?

Some people like to run svn export instead of svn checkout or for git users, git checkout-index instead of git pull.

Sure this works, but it's not ideal. You can't simply pull the changes and be live.

After you checkout your app, do the follow:

Apache

Put the config items below in the .htaccess file in your root web directory

LightTPD

Put the config items below in your lighttpd config file

Now when you go to those files, you won't be able to access them.

Bonus Tip

Keep the majority of your code below a web accessible directory. All we have in our web accessible directory are our images and index.php file. Everything else sits below it in an app directory.


©2010 enormego.com, all rights reserved.