diff --git a/Nginx.md b/Nginx.md
index 9d2b040..a34c715 100644
--- a/Nginx.md
+++ b/Nginx.md
@@ -41,4 +41,27 @@ server {
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 }
+```
+
+## Restrict
+
+> [!NOTE]
+> Direct access to the following files is safe and is also already restricted by the Rocket framework implementation (as unexpected by the application logic). Therefore, feel free to further restrict direct access on the Nginx side.
+
+**Restrict direct access to the torrent files**
+
+```
+location ~* \.torrent$ {
+	deny all;
+}
+```
+
+**Restrict direct access to hidden files (started with dot)**
+
+Hidden files are temporarily created filesystem offsets by the `aquatic-crawler` and its `librqbit` client on the data preload. Permanent files are moved to folders without a dot. There is no reason to access this location.
+
+```
+location ~* ^/\. {
+	deny all;
+}
 ```
\ No newline at end of file