Update: Git repositories created with WebFaction’s git installer are insecure, even when they’re password protected. Some Apache installations are configured out-of-the-box to protect .htpasswd files. That is not the case with WebFaction.
- Remove the file’s default world-readable permissions, by running chmod o-r .htpasswd
- OR: Prevent the file from being downloaded, by adding the following to .htaccess:
<files ~ "^\.ht"> Order allow,deny Deny from all </files>
Of course, the same applies to any .htpasswd file.