Isn't this a non issue (don't need to change any config to block .git) with a properly configured firewall and nginx proxy passing to localhost when the code does not live in a publicly visible location? Eg- https://www.digitalocean.com/community/tutorials/how-to-set-...
You could have worded it a little differently: if a folder is not accessible in the root directory of the web server, there is no need to modify the web server config to deny access to .git.
These type of snarky responses discourage newcomers to participate in discussions. I have seen this happen to many people, so please dial back the snark.
I see where you're coming from. From what I understand you're suggesting the same thing as Hamcha, who currently has the top post: make the web root a subfolder in version control, so the version control folder is above the web root. However, when I read it, it sounded like "if you have some uncommon setup with proxying to localhost [and then filtering out requests to .git?]" which indeed sounds like addressing the issue. Your second comment clarifies what you mean.
It's an issue, just not really specific to git and has been around for a long time. The issue is having source files or any sensitive info, under the web root where it could get exposed by an incorrectly configured web server. This is why modern setups keep the source code somewhere else and use some sort of application server behind the web server or similar arrangement.
