Thanks people So there's no way to say "If the file ISNT a jpeg/gif/css/js" deny. The only way is to say 'if .php' deny, 'if .txt deny' etc? I'd prefer to whitelist the files i DO want to return and block everything else, incase I forget something to block? Ben Posted at Nginx Forum: http://forum.nginx.org/read.php?2,199902,201289#msg-201289