cgit is read-only by design, so the main risk is accidental data exposure through repository discovery, clone access, or web server misconfiguration around the CGI endpoint.
cgitrcUse explicit repository definitions instead of broad scans where possible.
# /etc/cgitrc (example)
virtual-root=/
cache-root=/var/cache/cgit
scan-path=/srv/git/public
enable-http-clone=0
remove-suffix=1
strict-export=1
scan-path restricted to public repositories only.strict-export=1 so only repos with git-daemon-export-ok are listed.enable-http-clone=0 unless you intentionally allow HTTP cloning.www-data) with read-only access to the repo path./srv/git..git, objects, and internal paths at the reverse proxy/web server.nodev,nosuid,noexec where possible.X-Forwarded-Proto correctness.X-Frame-Options, X-Content-Type-Options, CSP for static theme files)./etc/cgitrc and repository metadata permissions as part of baseline configuration backup.sudo grep -E '^(scan-path|strict-export|enable-http-clone)' /etc/cgitrc
sudo find /srv/git/public -maxdepth 2 -type f -name git-daemon-export-ok | head
sudo test -w /srv/git/public && echo \"unexpected write access\" || echo \"read-only OK\"
cgitrc(5) reference: https://git.zx2c4.com/cgit/tree/cgitrc.5.txtAny questions?
Feel free to contact us. Find all contact information on our contact page.