Version management Git is now standard in almost every web project and in every environment (including production). Git always creates the subfolder .git and if this is on the level of the public folder of the website, you can publicly access sensitive files (for example, calling /.git/logs/HEAD shows the last commits) . It explains in detail how you can clone a third-party (!) Git repository without a directory listing.
To prevent this, in the case of an Apache server, you restrict access to the entire .git folder in the .htaccess file and issue a 404 error, so the attacker does not know that the folder exists:
If you have an NGINX server running, these rules do it: