diff --git a/conf/nginx.conf b/conf/nginx.conf
index 24b508e..671c163 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,5 +1,5 @@
 #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
-location __PATH__/ {
+location ^~ __PATH__/ {
 
   # Path to source
   alias __FINALPATH__/ ;
@@ -9,6 +9,10 @@ location __PATH__/ {
     rewrite ^ https://$server_name$request_uri? permanent;
   }
 
+  more_set_headers "Referrer-Policy; origin always";
+  more_set_headers "X-Content-Type-Options: nosniff";
+  more_set_headers "X-XSS-Protection: 1; mode=block";
+
   index index.php;
 
   # Common parameter to increase upload size limit in conjunction with dedicated PHP-FPM file
@@ -17,14 +21,16 @@ location __PATH__/ {
   try_files $uri $uri/ =404;
 
   location ~ [^/]\.php(/|$) {
+    rewrite ^__PATH__/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php$;
+    include snippets/fastcgi-php.conf;
     fastcgi_split_path_info ^(.+?\.php)(/.*)$;
     fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
 
-    fastcgi_index index.php;
-    include fastcgi_params;
-    fastcgi_param REMOTE_USER $remote_user;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
-    fastcgi_param SCRIPT_FILENAME $request_filename;
+    #fastcgi_index index.php;
+    #include fastcgi_params;
+    #fastcgi_param REMOTE_USER $remote_user;
+    #fastcgi_param PATH_INFO $fastcgi_path_info;
+    #fastcgi_param SCRIPT_FILENAME $request_filename;
   }
 
     ## deny access to all other .php files
@@ -34,9 +40,9 @@ location __PATH__/ {
     }
 
     ## disable all access to the following directories
-    location __PATH__/(config|tmp|core|lang) {
+    location ~ ^__PATH__/(config|tmp|core|lang) {
         deny all;
-        return 403; # replace with 404 to not show these directories exist
+        return 404;
     }
 
     location __PATH__/\.ht {