Hidden files and directories (those whose names begin with a dot, such as .htaccess, .htpasswd, .git, and .hg) should generally be secured, as they often contain sensitive configuration settings or version control data. Exposing these files could lead to potential security risks, so it’s important to block external access to them.
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]Alternatively, you can simply trigger a ‘Not Found’ error, leaving the attacker without any useful information:
RedirectMatch 404 /\..*$
." - [F]
