🤖 Ghostwritten by GPT 5.4 · Fact-checked & edited by Claude Opus 4.6 · Curated by Tom Hundley
If your live app accidentally includes its .git folder, attackers can pull down your source code, inspect your project history, and grab deployment details or secrets. This is not a theoretical edge case. Internet-wide scans have repeatedly found millions of web servers exposing Git metadata, with hundreds of thousands of .git/config files containing deployment credentials. For vibe coders, one bad deploy can turn your app into an open filing cabinet.
Here's the plain-English version: the .git folder is the hidden control room for your project. It keeps the history of your files, where the code came from, and sometimes enough information to help an attacker move deeper into your systems. If that hidden folder gets uploaded to production, someone can often reconstruct your app even if the public site looks harmless.
I'm telling you this because I don't want you to learn it the hard way. These git folder exposure findings are a flashing red warning for anyone shipping apps with Cursor, Bolt, Replit, v0, Lovable, or similar tools. Production deployment security is no longer optional. It's basic self-defense.
TL;DR: An exposed .git folder can let attackers rebuild your app and search it for weak spots, secrets, and ways in.
This problem has been around for years, and every new internet-wide scan confirms it remains widespread. Researchers consistently find millions of web servers exposing Git metadata and hundreds of thousands of .git/config files containing active deployment credentials. That is a giant neon sign saying: too many people are shipping internal project files straight to the public internet.
Here's how this goes wrong in real life. A person builds an app locally or inside a cloud coding tool. They click deploy, or drag their whole project folder into hosting, or use a helper script generated by AI. The site works, everyone celebrates, and nobody notices the hidden .git directory got uploaded too.
Attackers know to look for that exact mistake. They don't need genius-level hacking skills. They just visit common paths like:
yourdomain.com/.git/yourdomain.com/.git/configyourdomain.com/.git/HEADIf the server hands those files over, they can often reconstruct the repository. That means your:
This is why git config vulnerabilities matter. The config file may not always contain a password, but it often tells an attacker where the code lives, how it is deployed, and what services are connected. Combine that with a stray key, a weak admin page, or a leaked .env file, and now you have a real breach chain. If you haven't read it yet, .env Files Explained: Protect Your API Keys Today connects directly to this problem.
Definitive statement: If your .git folder is public, assume your code is public too.
TL;DR: Think of .git as your app's private back office — it should never be on the public website.
When you build software, Git is the tool that tracks changes over time. The .git folder is where that tracking data lives. It is not part of the app your visitors need. It is your workshop notebook, spare keys, and shipping records all stuffed in one drawer.
Here's a simple analogy:
| Item | Real-world analogy | Should customers see it? | Risk if exposed |
|---|---|---|---|
| App files | The storefront | Yes | Normal |
.git folder |
The manager's office and file cabinet | No | Code reconstruction, credential leaks, internal details |
.env file |
Sticky note with passwords under the desk | No | Immediate secret theft |
The danger is not just the current code. Git also stores history. If you accidentally added a secret last week and "deleted it later," Git history still remembers it. That means credential leaks can happen from old commits, not just current files.
Git config can also reveal remote repository addresses. That tells attackers where your code is hosted and how your team works. In some cases, exposed metadata helps them automate further attacks. Security researchers at organizations like Cybernews have repeatedly published findings on exposed secrets and misconfigured servers; the pattern is the same every time: small configuration mistakes create big openings.
For vibe coder security, the biggest trap is this: AI tools make deployment feel like magic. Magic is fun. Hidden files are still real. If the tool uploads your whole project folder, it may upload things you never meant to publish.
Also read Your AI Coding Assistant Is Leaking Your API Keys because the two mistakes often travel together: secrets in code, and code history exposed to the world.
TL;DR: If you deploy by clicking buttons without inspecting what gets uploaded, you are exactly the kind of target this mistake hurts.
You do not need to run a giant company to be worth attacking. Small apps are attractive because they're often softer targets. Attackers use bots that scan huge chunks of the internet looking for easy wins. They are not picking you personally. They are sweeping the neighborhood checking which doors are unlocked.
This means three practical things.
If .git is exposed, someone can rebuild the app structure and inspect your logic. That helps them find admin routes, payment logic, weak access checks, or places where users can see each other's data.
Git history preserves older mistakes. If you ever committed keys, tokens, or connection strings, they may still be retrievable from history.
An exposed .git folder plus weak database rules plus leaked secrets is how bad days begin. That's why app security has layers. For example, Supabase RLS Explained: The Lock Your Database Needs matters because even if code leaks, row-level security can still reduce the blast radius.
The scale of this problem — millions of servers with exposed Git metadata found in repeated internet-wide scans — shows this is not a rare weird bug. It is a common deployment mistake. And common mistakes get automated by attackers fast.
Definitive statement: Production deployment security is not a fancy enterprise concern. It is the difference between shipping an app and publishing your internals.
TL;DR: Test your live site for .git exposure, remove the folder from production, rotate any exposed secrets, and lock down future deploys.
Do this slowly, step by step.
Open a browser and try these addresses on your own domain:
https://yourdomain.com/.git/HEADhttps://yourdomain.com/.git/confighttps://yourdomain.com/.git/indexWhat you want:
What you do not want:
ref: refs/heads/mainIf you see file contents, stop and treat it as a real incident.
Tell your AI tool exactly this:
My live website may be exposing the .git folder. I need you to help me remove .git from the deployed app without breaking the site. Give me step-by-step instructions for my hosting platform. Assume I am a non-developer. Also tell me how to prevent hidden folders from being deployed again.If you deploy by uploading a folder manually, do not upload the whole project root blindly. Create a clean export that contains only the files the website needs to run.
If .git/config or history was exposed, assume secrets are compromised. Replace:
Do not just delete old keys from code. Replace them in the service dashboard so the old ones stop working.
Your deployment security checklist should include this rule: hidden development files do not go live.
Ask your AI tool:
Create a deployment checklist for my app that prevents git folder exposure, .env file leaks, debug page exposure, and secret files from going to production. Write it in plain English and include a pre-launch checklist I can follow every time.After making changes, test the same URLs again. Do not assume it worked. Verify.
TL;DR: Use AI to help you secure deployment, but give it a precise checklist so it doesn't hand-wave the dangerous parts.
Here is a prompt you can paste into Cursor, Replit, Bolt, Lovable, or another assistant:
I am a non-developer deploying a web app. Audit my project for production deployment security problems. Specifically check for git folder exposure, git config vulnerabilities, credential leaks, exposed .env files, debug routes, backup files, and public admin pages. Explain each finding in plain English. Then give me a fix plan with exact file changes, where to click in hosting settings, and a final verification checklist.Use this bare-bones checklist before every deploy:
| Check | What good looks like | What bad looks like |
|---|---|---|
.git paths |
Return 404 or access denied | Files open in browser |
.env paths |
Return 404 or access denied | Secrets visible |
| Debug pages | Disabled on live site | Error details visible |
| Admin routes | Protected by login | Publicly reachable |
| Old keys | Rotated after any leak | Same keys still active |
One more thing: if your AI tool says "looks secure" without showing how it checked, push back. Ask it to list exact URLs tested, exact files excluded from deployment, and exact secrets rotated. Vague security advice is how people get burned.
They use it as a map. It can reveal repository locations, branch details, and deployment clues that help them reconstruct your code or target connected services. On its own it may not be enough for a full takeover, but combined with other mistakes it becomes dangerous fast.
Not necessarily. Test multiple common paths like .git/HEAD and .git/config, and confirm they return an error or access denial. Directory listing may be disabled while individual files are still accessible. Also check for related problems like exposed .env files and debug pages.
Because Git history still contains the old value. If the .git folder was exposed, attackers can recover earlier versions of files. Once a secret might have leaked, replacement is safer than hope.
Sometimes, sometimes not. Some platforms package and deploy safely; others may publish more of your project than you realize, especially with custom hosting setups. You still need to verify what is public after deployment.
Take the site out of public access if you can, remove .git from production, rotate potentially exposed credentials, and then verify the fix by testing the same URLs again. After that, review your commit history for anything sensitive that may have been stored there.
Git folder exposure can reveal your codebase and internal project details.Git config vulnerabilities become much worse when paired with old secrets in Git history.Production deployment security means checking what actually goes live, not just trusting the deploy button.deployment security checklist can prevent avoidable credential leaks.vibe coder security, the safest habit is verify, then deploy — not the other way around.The numbers from internet-wide scans are ugly because they point to a very human mistake: people ship the whole project instead of just the app. If that's you, you are not stupid. You are just one hidden folder away from a bad day.
Check your live site today. Fix it if needed. Rotate anything that may have leaked. Then build yourself a boring, repeatable deployment habit. That's how you stay in the game.
Share this with someone who needs it. Come back tomorrow for the next lesson.
You've got this. See you tomorrow.
Discover more content: