# ---------------------------------------------------------------------- # | File access | # ---------------------------------------------------------------------- # Block access to all hidden files and directories with the exception of # the visible content from within the `/.well-known/` hidden directory. # # These types of files usually contain user preferences or the preserved # state of a utility, and can include rather private places like, for # example, the `.git` or `.svn` directories. # # The `/.well-known/` directory represents the standard (RFC 5785) path # prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, # `/.well-known/keybase.txt`), and therefore, access to its visible # content should not be blocked. # # https://www.mnot.net/blog/2010/04/07/well-known # https://tools.ietf.org/html/rfc5785 location ~* /\.(?!well-known\/) { deny all; } # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Block access to files that can expose sensitive information. # # By default, block access to backup and source files that may be # left by some text editors and can pose a security risk when anyone # has access to them. # # https://feross.org/cmsploit/ # # (!) Update the `location` regular expression from below to # include any files that might end up on your production server and # can expose sensitive information about your website. These files may # include: configuration files, files that contain metadata about the # project (e.g.: project dependencies), build scripts, etc.. location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { deny all; }