diff --git a/conf/nginx.conf b/conf/nginx.conf
index b41ead3..d16f443 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -26,6 +26,44 @@ location __PATH__/ {
     fastcgi_param SCRIPT_FILENAME $request_filename;
   }
 
+
+    ## deny access to all other .php files
+    location ~* ^.+\.php$ {
+        deny all;
+        return 403;
+    }
+
+
+    ## disable all access to the following directories
+    location ~ ^/(config|tmp|core|lang) {
+        deny all;
+        return 403; # replace with 404 to not show these directories exist
+    }
+
+        location ~ js/container_.*_preview\.js$ {
+        expires off;
+        more_set_headers "Cache-Control: private, no-cache, no-store";
+    }
+
+    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+        allow all;
+        ## Cache images,CSS,JS and webfonts for an hour
+        ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+        expires 1h;
+        more_set_headers "Cache-Control: public";
+        more_set_headers "Pragma: public";
+    }
+
+    location __PATH__/(libs|vendor|plugins|misc|node_modules) {
+        deny all;
+        return 403;
+    }
+
+    ## properly display textfiles in root directory
+    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+        default_type text/plain;
+    }
+
   # Include SSOWAT user panel.
   include conf.d/yunohost_panel.conf.inc;
 }