Tweak nginx config

[J0WI]

[Findus23]

I hope it is okay if I apply your changes speratly as I'd like to keep an overview over all lines and am not sure about all lines:

• X-Frame-Options is already sent by Matomo
• Any reason for removing the /\.ht section?
• merging the plugins/HeatmapSessionRecording/configs.php is a great idea, thanks
• the separation between config|tmp|core|lang and libs|vendor|plugins|misc/user is intentional. This way js, css, etc. are allowed from the plugins but not from the tmp directory.
• Any reason why the .well-known is allowed explicitly? Matomo doesn't really use it and for let's encrypt I think it needs to be in the HTTP section

[J0WI]

I hope it is okay if I apply your changes speratly as I'd like to keep an overview over all lines

Sure, that was the idea.

X-Frame-Options is already sent by Matomo

It's more secure to add this in the server config, because this is harder to compromise and it doesn't depend on PHP. fastcgi_hide_header X-Content-Type-Options; can be used to avoid duplicates.

Any reason for removing the /.ht section?

This is now covered by \. which denies access to all dotfiles.

Any reason why the .well-known is allowed explicitly? Matomo doesn't really use it and for let's encrypt I think it needs to be in the HTTP section

All HTTP requests are rewritten to HTTPS, so acme challenge would be blocked. You can also merge it with the default_type text/plain section if you like.