a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment
deanSolecki  ·  3413 days ago  ·  link  ·    ·  parent  ·  post: One in every 600 websites has .git exposed

Ah. I deploy from heroku, so this is likely not even possible, but since I tend to follow an "established" project structure maybe I'm wrong.

Even when I am running a server at localhost, though, it seems like the routes that I declare dictate what is available from a browser, so rails might also play gatekeeper (it exposes resources automatically if they're there [I'm on my windows install, so I can't check if anything else is exposed, but I suspect not,] but that's intended, and some sort of user model plays gatekeeper in that case.) If something is at index saying, "anything that comes in, lemme have a peak at it" it seems like you'd have to intentionally compromise yourself to have issues with this.

I guess my lack of experience with "server servers" has given me a blind spot, since "sort of servers" (abstract servers? I don't know how you draw that distinction) don't have these issues, as far as I'm aware.

I'm rambling, but basically, if your backend is rails/rails-api, you probably can't expose yourself without explicitly doing so, outside of permissions to routes you've explicitly declared, or resource routes that are implicitly declared by rails' scaffolding?