diff --git a/conf/nginx.conf b/conf/nginx.conf
index d16f443..09cca21 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,31 +1,32 @@
 #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
-location __PATH__/ {
+location ^~ __PATH__/ {
 
-  # Path to source
-  alias __FINALPATH__/ ;
+    # Path to source
+    alias  __FINALPATH__/;
 
   # Force usage of https
   if ($scheme = http) {
     rewrite ^ https://$server_name$request_uri? permanent;
   }
 
+  more_set_headers "Referrer-Policy: origin always";
+  more_set_headers "X-Content-Type-Options: nosniff";
+  more_set_headers "X-XSS-Protection: 1; mode=block";
+  
   index index.php;
 
-  # Common parameter to increase upload size limit in conjunction with dedicated PHP-FPM file
-  client_max_body_size 100M;
+  try_files $uri $uri/ =404;
 
-  try_files $uri $uri/ index.php;
   location ~ [^/]\.php(/|$) {
     fastcgi_split_path_info ^(.+?\.php)(/.*)$;
     fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock;
 
     fastcgi_index index.php;
     include fastcgi_params;
-    fastcgi_param REMOTE_USER $remote_user;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param REMOTE_USER     $remote_user;
+    fastcgi_param PATH_INFO       $fastcgi_path_info;
     fastcgi_param SCRIPT_FILENAME $request_filename;
-  }
-
+    }
 
     ## deny access to all other .php files
     location ~* ^.+\.php$ {
@@ -33,14 +34,18 @@ location __PATH__/ {
         return 403;
     }
 
-
     ## disable all access to the following directories
-    location ~ ^/(config|tmp|core|lang) {
+    location ~ ^__PATH__/(config|tmp|core|lang) {
         deny all;
-        return 403; # replace with 404 to not show these directories exist
+        return 404;
     }
 
-        location ~ js/container_.*_preview\.js$ {
+    location ~ __PATH__/\.ht {
+        deny  all;
+        return 403;
+    }
+
+    location ~ js/container_.*_preview\.js$ {
         expires off;
         more_set_headers "Cache-Control: private, no-cache, no-store";
     }
@@ -50,20 +55,20 @@ location __PATH__/ {
         ## Cache images,CSS,JS and webfonts for an hour
         ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
         expires 1h;
-        more_set_headers "Cache-Control: public";
         more_set_headers "Pragma: public";
+        more_set_headers "Cache-Control: public";
     }
 
-    location __PATH__/(libs|vendor|plugins|misc|node_modules) {
+    location ~ ^__PATH__/(libs|vendor|plugins|misc|node_modules) {
         deny all;
         return 403;
     }
 
     ## properly display textfiles in root directory
-    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+    location ~__PATH__/(.*\.md|LEGALNOTICE|LICENSE) {
         default_type text/plain;
     }
 
-  # Include SSOWAT user panel.
-  include conf.d/yunohost_panel.conf.inc;
+    # show YunoHost panel access
+    include conf.d/yunohost_panel.conf.inc;
 }