Xgenious/ docs
Products
Get support

Save as /etc/nginx/sites-available/botmerze:

server {
listen 80;
listen [::]:80;
server_name yourdomain.com www.yourdomain.com;

# Domain root holds index.php; Laravel is inside /core
root /home/<domain>/public_html;
index index.php index.html;

# ── Security headers ─────────────────────────────────────────
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

client_max_body_size 100M;

access_log /var/log/nginx/botmerze-access.log;
error_log  /var/log/nginx/botmerze-error.log;

# ── BLOCK direct access to Laravel core ──────────────────────
# /core contains .env, source code, storage — never serve it.
location ^~ /core/ {
deny all;
return 404;
}

# ── Block dotfiles (.env, .git, etc.) ────────────────────────
location ~ /\.(?!well-known).* {
deny all;
return 404;
}

# ── Block sensitive Laravel paths even at root ───────────────
location ~* /(\.env|\.env\..*|composer\.(json|lock)|package(-lock)?\.json|artisan)$ {
deny all;
return 404;
}

# ── Front controller ─────────────────────────────────────────
location / {
try_files $uri $uri/ /index.php?$query_string;
}

# ── PHP handler ──────────────────────────────────────────────
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO       $fastcgi_path_info;

fastcgi_read_timeout 300;
fastcgi_buffer_size  16k;
fastcgi_buffers      4 16k;
}

# ── Long-cache static assets ─────────────────────────────────
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}
}

Enable & reload:

sudo ln -s /etc/nginx/sites-available/botmerze /etc/nginx/sites-enabled/
sudo rm -f /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl reload nginx
Tip

✅ With the rules above, https://yourdomain.com/core/.env returns 404, while https://yourdomain.com/ continues to serve the BotMerze application normally.

Still stuck?
Our support team is ready to help you get set up.
Get support