[kuschku]

You should check out how many services have their entire git repo of their service openly accessible (this allows getting the data out of the git objects, as well as the history).

Quite often you can go to domain.tld/.git/ and find the files if you know their names. Even major sites - The Hill only fixed it in the past few days.

[gargravarr]

One of the first things I implemented when setting up a company's webserver was to make .git and below return 404. Making those folders visible is a silly idea on SVN, let alone Git.

[gurkendoktor]

I've also fallen into this trap, thinking that Apache wouldn't serve up any dotfiles. Wouldn't that be a saner default?

[akerro]

For nginx:

  # block .files
  location ~ /\. {
    deny  all;
  }
  # allow Lets encrypt
  location ~ /.well-known {
    root YOUR LE DIRECTORY
    allow all;
  }

[avenoir]

intext:"index of /.git" reveals a ton of those.