diff --git a/images/nginx-drupal/drupal.conf b/images/nginx-drupal/drupal.conf
index 0a485faf4..ecc3087e2 100644
--- a/images/nginx-drupal/drupal.conf
+++ b/images/nginx-drupal/drupal.conf
@@ -1,4 +1,5 @@
-### Nginx configuration for Drupal.
+## Nginx configuration for Drupal
+## @see https://www.drupal.org/project/drupal/issues/2937161
 server {
   include /etc/nginx/conf.d/drupal/server_prepend*.conf;
 
@@ -9,10 +10,6 @@ server {
   root /app/${WEBROOT:-};
   index  index.php;
 
-  ## rewriting /index.php to / because after https://www.drupal.org/node/2599326
-  ## autocomplete URLs are forced to go to index.php
-  rewrite ^/index.php / last;
-
   ## The 'default' location.
   location / {
     include /etc/nginx/conf.d/drupal/location_prepend*.conf;
@@ -27,10 +24,11 @@ server {
     }
 
     ## Do not allow access to .txt and .md unless inside sites/*/files/
-    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md)$ {
+    location ~* ^(?!.+sites\/.+\/files\/).+\.(txt|md|log)$ {
       deny all;
       access_log off;
       log_not_found off;
+      return 404;
     }
 
     ## Replicate the Apache <FilesMatch> directive of Drupal standard
@@ -46,12 +44,19 @@ server {
     ## Expiring per default for four weeks and one second, Drupal will overwrite that if necessary
     expires ${NGINX_DEFAULT_EXPIRES:-2628001s};
 
-    ## Disallow access to any dot files, but send the request to Drupal
-    location ~* /\. {
-      try_files /dev/null @drupal;
+    ## Allow "Well-Known URIs" as per RFC 5785
+    location ~* ^/.well-known/ {
+      allow all;
     }
 
-    ### Directives for installing drupal.
+    ## Block access to "hidden" files and directories whose names begin with a
+    ## period. This includes directories used by version control systems such
+    ## as Subversion or Git to store control files.
+    location ~ (^|/)\. {
+      return 403;
+    }
+
+    ## Directives for installing drupal.
     location ~* ^(/install.php|/core/install.php) {
       try_files /dev/null @php;
     }
@@ -61,6 +66,12 @@ server {
       try_files /dev/null @drupal;
     }
 
+    ## Enforce clean URLs
+    ## Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+    location ~* (.*/)index\.php/(.*) {
+      return 301 $1$2$is_args$args;
+    }
+
     ## Try to find a file with given URL, if not pass to Drupal
     try_files $uri @drupal;
 
@@ -100,6 +111,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to backup directory.
@@ -107,6 +119,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vagrant directory.
@@ -114,6 +127,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
@@ -121,6 +135,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Disallow access to vendor directory.
@@ -128,6 +143,7 @@ server {
     deny all;
     access_log off;
     log_not_found off;
+    return 404;
   }
 
   ## Support for the robotstxt module
diff --git a/images/nginx-drupal/drupal/favicon.conf b/images/nginx-drupal/drupal/favicon.conf
index bbe0d8427..5dbbdecd9 100644
--- a/images/nginx-drupal/drupal/favicon.conf
+++ b/images/nginx-drupal/drupal/favicon.conf
@@ -1,5 +1,4 @@
-## Support for favicon. Return an 1x1 transparent GIF if it doesn't
-## exist.
+## Support for favicon. Return an 1x1 transparent GIF if it doesn't exist.
 location = /favicon.ico {
   expires 30d;
   try_files /favicon.ico @empty;