diff --git a/src/nginxconfig/generators/conf/drupal.conf.js b/src/nginxconfig/generators/conf/drupal.conf.js
index 96eb397..8613393 100644
--- a/src/nginxconfig/generators/conf/drupal.conf.js
+++ b/src/nginxconfig/generators/conf/drupal.conf.js
@@ -28,8 +28,9 @@ export default global => {
     const config = {};
 
     config['# Drupal: deny private files'] = '';
-    config['location ~ ^/sites/.*/private/'] = {
+    config['location ~ ((^|/)\.|^.*\.yml$|^/sites/.*/private/|^/sites/[^/]+/[^/]*settings.*\.php$)'] = {
         deny: 'all',
+        return: '404',
     };
 
     config['# Drupal: deny php in files'] = '';
@@ -42,6 +43,11 @@ export default global => {
         deny: 'all',
     };
 
+    config['# Drupal: allow image styles to be handled by the CMS'] = '';
+    config['location ~ ^/sites/[^/]+/files/styles/'] = {
+        try_files: '$uri /index.php?q=$uri&$args',
+    };
+
     config['# Drupal: handle private files'] = '';
     config['location ~ ^(/[a-z\\-]+)?/system/files/'] = {
         try_files: '$uri /index.php?$query_string',