diff --git a/images/nginx/config/nginx-server-default.conf b/images/nginx/config/nginx-server-default.conf
index 3cff80d0d018c70c4889fad79dcb87b3bd40ffcc..c94d2ecf7f69bb78f6f65aee2debbe2a215fbf3b 100644
--- a/images/nginx/config/nginx-server-default.conf
+++ b/images/nginx/config/nginx-server-default.conf
@@ -114,7 +114,12 @@ server {
         fastcgi_pass webdav;
     }
 
+    # We deny access to `.config` due to https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/927
     # Previously we would deny access to txt/log files, see https://gitlab.cern.ch/webservices/webframeworks-planning/-/issues/853
+    location ~* \.config$ {
+        allow 192.168.0.0/16;
+        deny all;
+    }
 
     # !!! NOTE
     # Order is important in nginx rules. If the following `location` are rearranged, things will BREAK.