diff --git a/readme-vars.yml b/readme-vars.yml
index 051aa7f..1137b2c 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -95,6 +95,7 @@ init_diagram: |
   "phpmyadmin:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "08.02.26:", desc: "Existing users should update: site-confs/default.conf - Deny access to all dotfiles."}
   - {date: "28.12.25:", desc: "Rebase to Alpine 3.23."}
   - {date: "23.08.25:", desc: "Add support for mTLS. Existing users will need to delete their config.inc.php and restart the container."}
   - {date: "05.07.25:", desc: "Rebase to Alpine 3.22."}
diff --git a/root/defaults/nginx/site-confs/default.conf.sample b/root/defaults/nginx/site-confs/default.conf.sample
index b9f3f85..1547c39 100644
--- a/root/defaults/nginx/site-confs/default.conf.sample
+++ b/root/defaults/nginx/site-confs/default.conf.sample
@@ -1,10 +1,10 @@
-## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-phpmyadmin/commits/main/root/defaults/nginx/site-confs/default.conf.sample
+## Version 2026/05/05 - Changelog: https://github.com/linuxserver/docker-phpmyadmin/commits/main/root/defaults/nginx/site-confs/default.conf.sample
 
 map $sent_http_content_type $expires {
-    default         off;
-    ~js/            max;
-    ~themes/        max;
-    ~doc/           max;
+    default off;
+    ~js/ max;
+    ~themes/ max;
+    ~doc/ max;
 }
 
 server {
@@ -12,6 +12,8 @@ server {
     listen [::]:80 default_server;
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
 
     server_name _;
 
@@ -20,6 +22,18 @@ server {
     root /app/www/public;
     index index.html index.htm index.php;
 
+    # Allow access to the ".well-known" directory
+    location ^~ /.well-known {
+        allow all;
+    }
+
+    # deny access to all dotfiles
+    location ~ /\. {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     location / {
         # enable for basic auth
         #auth_basic "Restricted";
@@ -36,16 +50,13 @@ server {
         #auth_basic_user_file /config/nginx/.htpasswd;
 
         fastcgi_split_path_info ^(.+\.php)(.*)$;
-        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        if (!-f $document_root$fastcgi_script_name) {
+            return 404;
+        }
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
 
         fastcgi_read_timeout 3600;
     }
-
-    # deny access to .htaccess/.htpasswd files
-    location ~ /\.ht {
-        deny all;
-    }
 }