.htaccess prevents access to various files that are not supposed to be downloaded by users, including CVS's control files in the CVS directory: Entries, Root and Repository. In #28776: Protect svn files in .htaccess, the pattern was expanded to control files used by Subversion. I suggest this is extended to also cover files used by Git.
Unfortunately, we cannot use <DirectoryMatch> in .htaccess. The previous approach has been to include the names of files used by CVS and Subversion, but this isn't possible for Git, because the .git directory and its subdirectories may contain files with more or less any name.
I don't know whether the current list of filenames for CVS and Subversion is complete either (though #105851: finish hiding CVS/* files in .htaccess suggests that it is for CVS).
This patch suggests a new approach. If mod_rewrite is enabled, access to the complete directory is prohibited using a RewriteRule (credit). Otherwise, access to some of the known filenames is blocked using <FilesMatch>.
