There is configuration block to prevent access to .ht prefixed files in the default config: # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <Files ".ht*"> Require all denied </Files> I think it would be wise to extend it to all dot prefixed (hidden) files and dirs except .well-known. <Directory ~ "/\.(?!well-known\/)"> Require all denied </Directory> I found hundreds of thousands sites with exposed .git directory because of it (https://lynt.cz/blog/global-scan-exposed-git, https://smitka.me/open-git). It isn't only about .git, other VCS have the same problem and it is known long time (https://news.ycombinator.com/item?id=838981). Another examples are .DS_Store or temp files created by text editors like vim. I understand that the webserver shouldn't interfere with the application too much, but I belive it would be nice step to the slightly better security.