I received an email today from an independent security researcher which detailed a vulnerability in pdemro.com. I am using a pretty old version of the Ghost docker image which apparently serves a directory which is a Git repository (including a .git folder). The vulnerability exploited my permissive Caddy configuration to access the git HEAD. To reproduce, the researcher built a robot to hit websites at /.git/HEAD. Read all about the vulnerability and why it is important to mitigate on his website https://smitka.me/

The blog offers examples of Nginx and Apache configurations which address the vulnerability, but sadly leaves out Caddy! Here is my best shot at a caddy config which mimics the suggested Nginx and Apache versions. From what I can tell, Caddy dosn't have a Deny verb but it does have a rewrite which seems to fit:


pdemro.com www.pdemro.com {  
  <other config stuff>

  rewrite {
    r /\..*
    to /

Nginx Similar

location ~ /\.(?!well-known\/) {  
    deny all;

Title Image Florence 11 by TeacherPouch LLC / CC BY-SA-NC 3.0