diff --git a/src/nginxconfig/generators/conf/drupal.conf.js b/src/nginxconfig/generators/conf/drupal.conf.js
index 84d4b06..1539ae6 100644
--- a/src/nginxconfig/generators/conf/drupal.conf.js
+++ b/src/nginxconfig/generators/conf/drupal.conf.js
@@ -18,8 +18,10 @@ export default global => {
     const config = {};
 
     config['# Drupal: deny private files'] = '';
-    config['location ~ ^/sites/.*/private/'] = {
+
+    config['location ~ ((^|/)\.|^.*\.yml$|^/sites/.*/private/|^/sites/[^/]+/.*settings.*\.php$)'] = {
         deny: 'all',
+        return: '404',
     };
 
     config['# Drupal: deny php in files'] = '';
@@ -32,6 +34,15 @@ export default global => {
         deny: 'all',
     };
 
+    config['# Allow image styles to be handled by the CMS.'] = '';
+    config['location ~ ^/sites/[^/]+/files/styles/'] = {
+        try_files: '$uri @rewrite',
+    };
+
+    config['location @rewrite'] = {
+        rewrite: '^/(.*)$ /index.php?q=$1',
+    };
+
     config['# Drupal: handle private files'] = '';
     config['location ~ ^(/[a-z\\-]+)?/system/files/'] = {
         try_files: '$uri /index.php?$query_string',