Version control systems/platforms such as Git and Subversion store their metadata in hidden folders. When left open via the web, they could reveal sensitive information such as passwords. This holds true even when directory listing is disabled.

—————————————

Solution:

RedirectMatch 404 /\.git

You need to add the above line into your .htaccess or your server config file.

It hides any file or directory whose name begins with .git (e.g. a .git directory or .gitignore file) by returning a 404. So not only are the contents of your Git repo hidden, its very existence is hidden too.