fix: Security vulnerability - block malicious file requests

nginx.production.conf

@@ -82,6 +82,27 @@ http {
         # Avoid `unsafe-eval` in production CSP
         add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://analytics.dk0.dev; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https://analytics.dk0.dev;";
 
+        # Block common malicious file extensions and paths
+        location ~* \.(php|asp|aspx|jsp|cgi|sh|bat|cmd|exe|dll)$ {
+            return 404;
+        }
+        
+        # Block access to sensitive files
+        location ~* (\.env|\.sql|\.tar|\.gz|\.zip|\.rar|\.bash_history|ftpsync\.settings|__MACOSX) {
+            return 404;
+        }
+        
+        # Block access to .well-known if not explicitly needed
+        location ~ /\.well-known(?!\/acme-challenge) {
+            return 404;
+        }
+        
+        # Block access to hidden files and directories
+        location ~ /\. {
+            deny all;
+            return 404;
+        }
+
         # Cache static assets
         location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
             expires 1y;