I've recently been alerted to a very common security hole in many well known web services: exposed
.git (or other VCS/sensible) folders.
Ideally, one would never pull code from VCS to deployment machines but rather push... But since changing deployment mechanisms takes its time, here's a duct tape solution:
RedirectMatch 404 "(?:.*)/(?:\.git|file_or_dir)(?:/.*)?$"
Add this one-liner to the
.htaccess file on the root of your project and it'll return 404 for all files and folders (and its subfolders) matching the regex.