Sersiously?

I have recently disclosed a couple of websites with issues relating to exposed .env and exposed .git web resources. Theses websites belongs to reputable local companies. To make matters worse, one of it has its entire envrionment credentials stored in the .env file and potentially allowing an attacker to take over the database and AWS environment. That's right, AWS environment.

Yes the blog title is literally "Seriously?".

To my readers, if you can type in https://<your_domain>/.git/HEAD or https://<your_domain/.env and receive a reply that looks like a text file, your number one priority is to fix it.

In a typical capture the flag compeition, finding this issue and successfully "exploiting" it is a point for the participant. But in a real world public internet scenario, it could be the next data breach news headline.

Some personal insights...
A typical exposed .env usually belongs to a PHP framework, like Laravel. It was only for this instance, I encountered a Wordpress app which has an exposed .env file. (Even though Wordpress is also using PHP)

Here are some resources to help you fix such issues:
[Apache] https://serverfault.com/questions/128069/how-do-i-prevent-apache-from-serving-the-git-directory
[Nginx] https://gist.github.com/jaxbot/5748513

Note: Links above shows how one can reconfigure their web server to prevent the serving of .git resources. The same can be done for .env paths. Alternatively, WAFs or Cloudflare can be used.

Finally...
Stay safe, and be responsible for your own data. Cheers!