Fix guide · critical · exposed_git_directory

.git directory accessible at your public root

Why it matters

An attacker can pull the entire .git tree, reconstruct your codebase including all history, and find every secret that was ever committed.

How to fix it

1. **Block /.git/* paths** in your deploy config.
2. Rotate every secret that was ever committed, even briefly.
3. Stop deploying the .git directory. Most CI systems can clone with --depth 1 and rm -rf .git before deploy.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.