diff --git a/src/drupal/docker/image/nginx/root/etc/nginx/conf.d/default.conf.template.twig b/src/drupal/docker/image/nginx/root/etc/nginx/conf.d/default.conf.template.twig
index e757082ae..615c03e28 100644
--- a/src/drupal/docker/image/nginx/root/etc/nginx/conf.d/default.conf.template.twig
+++ b/src/drupal/docker/image/nginx/root/etc/nginx/conf.d/default.conf.template.twig
@@ -1,4 +1,7 @@
 
+# Adapted from https://www.nginx.com/resources/wiki/start/topics/recipes/drupal/
+# Referred to from https://www.drupal.org/docs/getting-started/system-requirements/web-server-requirements
+
 server {
 
   listen 80 default_server;
@@ -75,7 +78,8 @@ server {
   }
 
   location @rewrite {
-    rewrite ^/(.*)$ /index.php?q=$1;
+    #rewrite ^/(.*)$ /index.php?q=$1; # For Drupal <= 6
+    rewrite ^ /index.php; # For Drupal >= 7
   }
 
   # Don't allow direct access to PHP files in the vendor directory.
@@ -84,6 +88,12 @@ server {
     return 404;
   }
 
+  # Protect files and directories from prying eyes.
+  location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
+    deny all;
+    return 404;
+  }
+
   # In Drupal 8, we must also match new paths where the '.php' appears in
   # the middle, such as update.php/selection. The rule we use is strict,
   # and only allows this pattern with the update.php front controller.
@@ -97,6 +107,10 @@ server {
   # release.
   location ~ '\.php$|^/update.php' {
     fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
+
+    # Ensure the php file exists. Mitigates CVE-2019-11043
+    try_files $fastcgi_script_name =404;
+
     # Security note: If you're running a version of PHP older than the
     # latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini.
     # See http://serverfault.com/q/627903/94922 for details.
@@ -122,6 +136,12 @@ server {
 
   }
 
+  location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+    try_files $uri @rewrite;
+    expires max;
+    log_not_found off;
+  }
+
   # Fighting with Styles? This little gem is amazing.
   # location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6
   location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7
@@ -134,10 +154,11 @@ server {
     try_files $uri /index.php?$query_string;
   }
 
-  location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
-    try_files $uri @rewrite;
-    expires max;
-    log_not_found off;
+  # Enforce clean URLs
+  # Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page
+  # Could be done with 301 for permanent or other redirect codes.
+  if ($request_uri ~* "^(.*/)index\.php/(.*)") {
+    return 307 $1$2;
   }
 
   include snippets/bottom-*.conf;