Version management Git is now standard in almost every web project and in every environment (including production). Git always creates the subfolder .git and if this is on the level of the public folder of the website, you can publicly access sensitive files (for example, calling /.git/logs/HEAD shows the last commits) . This explains in detail how you can clone a third-party (!) Git repository without a directory listing.
To prevent this, in the case of an Apache server, access to the entire .git folder is restricted in the .htaccess file and a 404 error is issued. The attacker does not know that the folder exists either:
If you have an NGINX server running, these rules do it: