# Prevent clients from accessing hidden files (starting with a dot)
location ~* (?:^|/)\. {
    deny all;
}

# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
    deny all;
}