Facebook Pixel

How do I block access to .env and hidden files?

Add location ~ /\. { deny all; } to block all hidden files (starting with a dot). Add location ~ /\.env { deny all; } specifically for .env files. This prevents accidental exposure of secrets through Nginx.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Nginx Security Updates and Headers Hardening Your Node.js Server

Strict-Transport-Security (HSTS, forces HTTPS for 1 year), X-Frame-Options (SAMEORIGIN, prevents clickjacking), X-Content-Type-Options (nosniff), X-XSS-Protection, Referrer-Policy, Content-Security-Policy (CSP, restricts resource loading), and Permissions-Policy (disables unnecessary browser features).

Define limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s in the http block. Add limit_req zone=api burst=20 nodelay in the location block. This allows 10 requests per second per IP with a burst of 20. Also use limit_conn_zone for concurrent connection limits.

Add server_tokens off; to the http block in nginx.conf. This removes the version number from the Server response header and error pages, making it harder for attackers to identify known vulnerabilities in your specific version.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.