Add extra deny rules to nginx.conf

docker/nginx.conf

@@ -73,6 +73,30 @@ http {
             deny all;
         }
 
+        # Deny yaml, twig, markdown, ini file access.
+        location ~* /.+\.(markdown|md|twig|yaml|yml|ini)$ {
+            deny all;
+            log_not_found off;
+        }
+
+        # Deny all grunt, package files.
+        location ~* (Gruntfile|package)\.(js|json|jsonc)$ {
+            deny all;
+            log_not_found off;
+        }
+
+        # Deny all composer files.
+        location ~* composer\. {
+            deny all;
+            log_not_found off;
+        }
+
+        # Deny vendor directory.
+        location ^~ /vendor/ {
+            deny all;
+            log_not_found off;
+        }
+
         # Allow fpm ping from localhost, useful for docker HEALTHCHECK.
         location ~ ^/(fpm-ping)$ {
             access_log off;