diff --git a/conf/nginx.conf b/conf/nginx.conf
index c4b73e1..4ddb371 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -69,15 +69,15 @@ location ^~ __PATH__/ {
     access_log off;
   }
 
-  location ~ ^__PATH__/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+  location ~ ^\__PATH__\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
     deny all;
   }
-  location ~ ^__PATH__/(?:\.|autotest|occ|issue|indie|db_|console) {
+  location ~ ^\__PATH__\/(?:\.|autotest|occ|issue|indie|db_|console) {
     deny all;
   }
 
-  location ~ ^__PATH__/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+)\.php(/.*|)$ {
-    fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
+  location ~ ^\__PATH__\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) {
+    fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
     set $path_info $fastcgi_path_info;
     try_files $fastcgi_script_name =404;
     include fastcgi_params;
@@ -92,10 +92,9 @@ location ^~ __PATH__/ {
     fastcgi_pass unix:/var/run/php/php__YNH_PHP_VERSION__-fpm-__NAME__.sock;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
-    fastcgi_param REMOTE_USER $remote_user;
   }
 
-  location ~ ^__PATH__/(?:updater|oc[ms]-provider)(?:$|/) {
+  location ~ ^\__PATH__\/(?:updater|oc[ms]-provider)(?:$|\/) {
     try_files $uri/ =404;
     index index.php;
   }
@@ -117,9 +116,8 @@ location ^~ __PATH__/ {
   }
 
 
-
-  # Adding the cache control header for js and css files
-  location ~ \.(?:css|js|woff2?|svg|gif)$ {
+  # Adding the cache control header for js, css and map files
+  location ~ ^\__PATH__\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
     try_files $uri __PATH__/index.php$request_uri;
     more_set_headers "Cache-Control: public, max-age=15778463";
     # Add headers to serve security related headers
@@ -129,13 +127,14 @@ location ^~ __PATH__/ {
     more_set_headers "X-Robots-Tag: none";
     more_set_headers "X-Download-Options: noopen";
     more_set_headers "X-Permitted-Cross-Domain-Policies: none";
+    more_set_headers "X-Frame-Options: SAMEORIGIN";
     more_set_headers "Referrer-Policy: no-referrer";
 
     # Optional: Don't log access to assets
     access_log off;
   }
 
-  location ~* \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+  location ~ ^\__PATH__\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
     try_files $uri __PATH__/index.php$request_uri;
     # Optional: Don't log access to other assets
     access_log off;