home / blog / podcasts / videos / notes / photos / about / more

Thanks to a responsible disclosure I learned some new attack vector today which I really never paid any attention to. Make sure your private .git directories aren't accessible via your web server otherwise you could expose everything including passwords stored in that repository.

I added this to my Nginx config files:

location ~ /\.(?!well-known\/) {
    deny all;

Have you written a response? Let me know the URL:

There's also indie comments (webmentions) support.