a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment by j4d3
j4d3  ·  3413 days ago  ·  link  ·    ·  parent  ·  post: One in every 600 websites has .git exposed

It does depend on your project structure more than what you are building with. The solution is to make sure your web server is only showing the Internet the files you want it to. Set appropriate file permissions, of course, but also make sure your server doesn't show the contents of directories if there's no other page to load there. On an Apache server, those settings are in .htaccess.





deanSolecki  ·  3413 days ago  ·  link  ·  

Ah. I deploy from heroku, so this is likely not even possible, but since I tend to follow an "established" project structure maybe I'm wrong.

Even when I am running a server at localhost, though, it seems like the routes that I declare dictate what is available from a browser, so rails might also play gatekeeper (it exposes resources automatically if they're there [I'm on my windows install, so I can't check if anything else is exposed, but I suspect not,] but that's intended, and some sort of user model plays gatekeeper in that case.) If something is at index saying, "anything that comes in, lemme have a peak at it" it seems like you'd have to intentionally compromise yourself to have issues with this.

I guess my lack of experience with "server servers" has given me a blind spot, since "sort of servers" (abstract servers? I don't know how you draw that distinction) don't have these issues, as far as I'm aware.

I'm rambling, but basically, if your backend is rails/rails-api, you probably can't expose yourself without explicitly doing so, outside of permissions to routes you've explicitly declared, or resource routes that are implicitly declared by rails' scaffolding?