Ideally the .git directory is not in production to begin with. as it is not needed to run an application. However, many deployment strategies use Git to move code changes onto a machine. If this is the case for your application; please, please, please do not allow .git to be accessible by the public. This situation is a MAJOR security risk. It could lead directly to a security breach.