Preventing direct access to hidden files and folders

Hidden files and folders usually contain configuration data and other goodies not intended for public consumption. Git, for example, saves all sorts of useful information in a root-level directory named .git.

By default these files and folders don’t appear in a directory listing, but depending on server setup and where they live relative to the hosting directory, they might be accessible via web browser.

To deny direct access to all such “hidden” files and folders, add this to your .htaccess file:

# Prevent direct access to files or folders starting with a dot
RewriteCond %{THE_REQUEST} ^.*/\.
RewriteRule (^\.|/\.) - [F]

Now, if a curious user goes snooping around for, say, .git/HEAD on your site, they’ll get a nice, bland 404 error for their troubles.