# Prevent clients from accessing hidden files (starting with a dot)
location ~* (^|/)\. {
    return 403;
}

# Prevent clients from accessing to backup/config/source files
location ~* (\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    return 403;
}