Security Check Error: \..* files should not be public

Security Check Error: \..* files should not be public

by Jason Press -
Number of replies: 2

I'm running Moodle 4.1.3+ (Boost theme) and recently noticed an error in the Site Admin > Reports > Security checks > "Check all public / private paths" area.

When I click "More info", I see the following:

Error > ".git/HEAD" | Category: ^\..* | Details: ^\..* files should not be public
Expected permissions = 404
Actual permissions = 400

Here is a screenshot:

Screenshot















I initially thought this might have something to do with the code mentioned here: https://docs.moodle.org/401/en/Apache#Hiding_internal_paths, but I already have this block of "mod_rewrite" code in my .htaccess file. Next, I thought I could try to adjust the permissions to 404 to match the "expected" value of "400" but I haven't been able to find any .git/HEAD file on my site.

Any advice would be greatly appreciated.
Average of ratings: -
In reply to Jason Press

Re: Security Check Error: \..* files should not be public

by Jason Press -
Please let me know if this should be in a different forum category.
Average of ratings: -
In reply to Jason Press

Re: Security Check Error: \..* files should not be public

by salma khan -
It seems that you have encountered an error in the security checks of your Moodle site. The specific error you mentioned is related to the ".git/HEAD" file, which should not be publicly accessible. It appears that the expected permission for this file is 404, but the actual permission is 400.

You mentioned that you have already included the necessary "mod_rewrite" code in your. htaccess file as mentioned in the documentation. Since you couldn't locate the .git/HEAD file on your site, it's possible that it is either not present or located in a different directory.

To resolve this issue, here are a few suggestions:

Double-check your file structure: Ensure that the .git/HEAD file is not present in any public directories or accessible locations. If it exists, consider removing it or moving it to a non-public directory.

Review file permissions: Verify the permissions of the directories and files within your Moodle installation. Ensure that the appropriate permissions are set to restrict access to sensitive files.

Consult Moodle community: Reach out to the Moodle community forums or support channels for more specific assistance. Other Moodle users or experts might have encountered a similar issue and can provide guidance tailored to your situation.

Remember, maintaining the security of your Moodle site is crucial, so addressing this issue promptly is important.
Average of ratings:Useful (1)