Be wary of having .git accessible to the outside world. If it is routed, possibly due to default web server configuration or an oversight, it can be rather easy to fetch the complete (or in the case of packed refs, nearly complete) history of your application server by walking the git objects in reverse from refs/heads/*. This could reveal database configuration details or other particularly interesting things.

The server need not even be set up git over http (via git-update-server-info or what have you) for this to be an issue.