[jonhohle]

Instead of excluding non-public directories, I like to make an explicit `public` directory (or `doc`, `doc-root`, whatever you want to call it). Then configure your server to point to that subdirectory and don’t worry about the repo.

I usually throw `etc` and `log` directories at the top level as well and out my server config in etc, and have a gitignite rule to ignore everything in logs, but it’s there and ready for painless deployment.

Since the web root is already a sub directory, more sensitive things can go into the same repo without worrying about exposing them.

[wizzwizz4]

Storing volatile data (e.g. logs) in the git-managed directory is an excellent way to lose all your data. https://fediverse.blog/~/Prismo/on-prismo-data-loss

[cesnja]

You can still get hit by a path traversal exploit. The safest option is to only have the public files on the server.

[jonhohle]

A path traversal is different from putting private files in a public directory. For a simple static site there will always be certs, /etc, and other things outside of the document root that shouldn’t be served.