For git repository to be available via HTTP transport, it needs to be "exported" by (any) web server. If your repository (to be more exact its .git
directory) is visible from outside in a web browser, then it can be cloned or fetched anonymously via HTTP protocol. git update-server-info
is used to generate extra auxiliary helper information (.git/objects/info/packs
and .git/info/refs
) for clone (or fetch) to know what is available.
So what you need to do is to either remove those two files (.git/objects/info/packs
and .git/info/refs
), or just make it so your repository is not available via web, perhaps by changing permissions in such way that user which web server runs as (usually 'nobody' or 'www', or 'apache') doesn't have access to .git
repository. Or configure web server so that it doesn't export (make visible) your repository.
The HTTP protocol is (currently) so called "dumb" protocol, meaning that it serves files as is, and access control is done by a [dumb] server, in this instance by web server you use (or by filesystem).
I guess that your repository is not exported by web server, so you don't have anything to worry about: your repository is not available via HTTP.
Note that it is quote usual for Git repositories to have anonymous unauthenticated read-only access, and require authentication only for writing to repository i.e. pushing (at least for open-source projects)