Blocking .svn and .git Directories on Apache or IIS
One of the issues that our HackMyCF ColdFusion Server Scanner checks for is the existence of public
.svn/ directories. Exposing these directories to the public could lead to information disclosure, such as your server side source code.
Blocking .svn and .git Directories on Apache
Just add the following to your
RedirectMatch 404 (?i)\.git RedirectMatch 404 (?i)\.svn
Or if you want to block all hidden directories (probably not a bad idea) you can do this:
RedirectMatch 404 (?i)/\..+
Blocking on IIS
On IIS7+ you can use the awesome request filtering feature to accomplish this, the most appropriate way to do this would probably be with the
hiddenSegement feature. You can do this using the GUI or in your
web.config file as follows:
<configuration> <system.webServer> <security> <requestFiltering> <hiddenSegments> <add segment=".git" /> <add segment=".svn" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration>
Like this? Follow me ↯Tweet Follow @pfreitag
Blocking .svn and .git Directories on Apache or IIS was first published on October 15, 2013.
If you like reading about svn, git, security, apache, iis, or subversion then you might also like:
- Changing the ColdFusion CFIDE Scripts Location
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
- Howto restrict what htaccess files can do on Apache
- SameSite Cookies with IIS
- Apache Security Patches on CentOS / RHEL
- Is your ColdFusion Administrator Actually Public?
- Request Filtering in IIS 7 Howto
- IIS: Disabling Weak SSL Protocols and Ciphers