cgit
https://git.zx2c4.com/cgit/: A hyperfast web frontend for git repositories written in C.
Apache
cgit_headers
# 16/08/2025
Header always append X-Frame-Options deny
Header always set Content-Security-Policy "default-src 'self';frame-ancestors 'self'"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
# 23/8/2025
Header always set Permissions-Policy "accelerometer=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), usb=(), gamepad=(), serial=()"
cgit
<Directory {{ webmut_basedir }}/{{ item.name }}/private/cgi-bin>
AllowOverride None
Order allow,deny
Allow from all
Deny from 117.48.149.53
# TencentCloud
Deny from 47.76.0.0/14
Deny from 175.24.0.0/16
</Directory>
<Directory /usr/share/cgit>
Require all granted
</Directory>
# CGR 12/3/2015 see https://wiki.mattrude.com/Cgit
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
# Don't compress
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
#Dealing with proxy servers
<IfModule mod_headers.c>
Header append Vary User-Agent
</IfModule>
</IfModule>
# CGR 24/5/2024
<IfModule mod_qos.c>
QS_SrvMaxConnPerIP 15
</IfModule>
Alias /cgit-data /usr/share/cgit
ScriptAlias /cgit {{ webmut_basedir }}/{{ item.name }}/private/cgi-bin/cgit
ExpiresActive On
# ExpiresByType image/jpeg "access plus 5 weeks"
# ExpiresByType image/gif "access plus 5 weeks"
ExpiresByType image/png "access plus 5 weeks"
ExpiresByType text/css "access plus 1 week"
# ExpiresByType application/x-javascript "access plus 49 hours"
# ExpiresByType text/javascript "access plus 49 hours"
# ExpiresByType text/plain "access plus 49 hours"
RewriteEngine on
RewriteCond %{REQUEST_URI} /cgit
RewriteCond %{QUERY_STRING} union [NC,OR]
RewriteCond %{QUERY_STRING} select [NC]
RewriteRule ^(.*)$ - [F]
RewriteCond %{HTTP_USER_AGENT} ^(.*)Nmap(.*)$
RewriteRule .* - [F]
RewriteCond %{HTTP_USER_AGENT} ^(.*)Chrome/..\.(.*)$
RewriteRule .* - [F]
RewriteCond %{HTTP_USER_AGENT} ^(.*)Firefox/..\.(.*)$
RewriteRule .* - [F]
RewriteRule ^$ /cgit [R=301,L,NE]
RewriteRule ^/+$ /cgit [R=301,L,NE]
robots.txt
# su - rcube -s /bin/bash
$ cd ~/public_html
$ cat << EOF > robots.txt
cat robots.txt
User-agent: *
Crawl-Delay: 3
Disallow: /*?*
$ chmod 644 robots.txt
security.txt
# su - rcube -s /bin/bash
$ install -d -m 0755 ~/public_html/.well-known
$ cd ~/public_html/.well-known
$ wget -N https://www.cgsecurity.org/.well-known/security.txt
$ chmod 644 security.txt
Audit
cgit_check.py
#!/usr/bin/python3
import requests
ua = 'Firefox/123.4'
s = requests.session()
s.headers.update({'User-Agent': ua})
site = 'https://git.cgsecurity.org/'
url = site + 'cgit'
r = s.get(url)
assert "<meta name='generator' content='cgit '/>" in r.text
assert r.status_code == 200
assert s.get(site + 'favicon.ico').status_code == 200
for useragent in [
'Nmap',
'Chrome/12.3',
'Firefox/12.3',
]:
headers = {
'User-Agent': useragent,
}
status_code = s.get(site, headers=headers).status_code
print(str(headers).ljust(32), status_code, '✅' if status_code == 403 else '❌')
cgit_check.py output
{'User-Agent': 'Nmap'} 403 ✅
{'User-Agent': 'Chrome/12.3'} 403 ✅
{'User-Agent': 'Firefox/12.3'} 403 ✅
$ twa -d git.cgsecurity.org|grep -v PASS
MEH(git.cgsecurity.org): TWA-0215: Content-Security-Policy 'default-src' is ''self''
FAIL(git.cgsecurity.org): TWA-0220: Feature-Policy missing
https://developer.mozilla.org/en-US/observatory/analyze?host=git.cgsecurity.org