NGINX rules deviate from upstream defaults

[janmashat]

The comment where this change propagates states:

# Replica of regex from Drupals core .htaccess.

However I wasn't able to find a reference to these new file extensions at the source: https://git.drupalcode.org/project/drupal/-/blob/11.x/.htaccess

Now this has become a breaking change on our project where we serve legitimate .md files sitewide.

[mxr576]

In addition, the requested "security hardenings" in [#86] could be achieved by excluding those files from the scaffolded ones via Drupal Scaffold plugin config: https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold#toc_6

So the requested hardenings does not have to implemented in the web server level.

To be clear, the only concerning part for us is blocking markdown files to served globally, when there are legitimate use cases for that --- and to be fair/IMO, the README.md of Drupal core does not tell anything about the installed version, etc. I may discloses that Drupal is the app framework, but that could be guessed in many different ways.

(cc @elaman )

[elaman]

Fair point regarding .md files not being a direct vulnerability, although I think that publicly facing Markdown documents should be served out of public file system (eg sites/default/files.

Given that MD files are more often included with the code to explain said code (modules, themes, libraries, internal docs, etc), we don't want website visitors to be able to gain access to information about code.