Return 404s and not 403s to prevent information disclosure.

uselagoon · Apr 13, 2024 · 6d330bc · 6d330bc
1 parent 3110018
commit 6d330bc
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
@@ -56,7 +56,7 @@ server {
       return 403;
     }
 
-    ### Directives for installing drupal.
+    ## Directives for installing drupal.
     location ~* ^(/install.php|/core/install.php) {
       try_files /dev/null @php;
     }
@@ -111,34 +111,39 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to backup directory.
   location ^~ /backup/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vagrant directory.
   location ^~ /vagrant/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
   location ^~ /core/vendor/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
   location ^~ /vendor/ {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Support for the robotstxt module