caddy: block vuln-scanner probe paths (no-PHP/WP stack) → 403, not the SPA shell

Path-only @junk matcher on upbeatbytes.com (*.php, /wp-*, /.env, /.git, /phpmyadmin,
/vendor, etc.) returns 403 instead of falling through try_files to a 200 SPA shell.
Never matches by User-Agent, so real users + Googlebot/Bing are untouched. Applied to
the live Caddyfile (validated + reloaded) and mirrored into the repo snapshot.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
jay
2026-06-30 10:11:57 -04:00
parent 86d9897113
commit 27022108b4
33 changed files with 10 additions and 0 deletions
Binary file not shown.

After

Width:  |  Height:  |  Size: 59 KiB