Jon Simpson

Subversion and Webroot Security

27 Feb 2007 — subversion, htaccess, apache

I’ve taken up managing my deployed web applications with subversion, similar to how I manage my Wordpress installs.

However, a new issue arises. The source code to my apps is not necessarily a public domain, open source deal (like Wordpress), and there is nothing to stop someone going to or and poking around at the code. This problem gets even worse if the configuration is being version controlled (think database usernames/passwords).

A fix, the aggregate of several posts on subversion-users. Add the following lines to your Apache configuration file (tested on Apache 2).

<DirectoryMatch /\.svn(/|$)>
  Order allow,deny
  deny from all

Well recommended for anyone using subversion in publicly visible directories on web servers.