Thanks to a responsible disclosure I learned some new attack vector today which I really never paid any attention to. Make sure your private .git directories aren't accessible via your web server otherwise you could expose everything including passwords stored in that repository.

• https://example.com/.git/config
• If you go to this URL, you will get 200 OK instead of 403 Forbidden response.
• This means that all of the files inside the repository URL in your config file are decodable via unpacking GIT objects.
• Since it's an open listing, all of the git objects (commits) can be downloaded and extracted (SHA-1) with knowledge of python or bash.

I added this to my Nginx config files:

location ~ /\.(?!well-known\/) {
    deny all;
}