diff --git a/bin/heroku-hhvm-nginx b/bin/heroku-hhvm-nginx
index 043b6aa77..0fd3c4031 100755
--- a/bin/heroku-hhvm-nginx
+++ b/bin/heroku-hhvm-nginx
@@ -45,7 +45,7 @@ Options:
                           Recommended approach when customizing Nginx's config
                           in most cases, unless you need to set http or
                           fundamental server level options.
-                          [default: $COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf]
+                          [default: $COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf.php]
   -c <nginx.conf>         The path to the full configuration file that is
                           included after Heroku's (or your local) Nginx config
                           is loaded. It must contain an 'http { ... }' block
@@ -129,7 +129,7 @@ php_config=${php_config:-"$HEROKU_APP_DIR/$COMPOSER_VENDOR_DIR/heroku/heroku-bui
 echo "Using HHVM configuration (php.ini) file '${php_config#$HEROKU_APP_DIR/}'" >&2
 php_config=$(php_passthrough "$php_config")
 
-nginx_config_include=${nginx_config_include:-"$HEROKU_APP_DIR/$COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf"}
+nginx_config_include=${nginx_config_include:-"$HEROKU_APP_DIR/$COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf.php"}
 echo "Using Nginx server-level configuration include '${nginx_config_include#$HEROKU_APP_DIR/}'" >&2
 nginx_config_include=$(php_passthrough "$nginx_config_include")
 export HEROKU_PHP_NGINX_CONFIG_INCLUDE="$nginx_config_include"
diff --git a/bin/heroku-php-nginx b/bin/heroku-php-nginx
index 61ec0099c..1ef3e72c2 100755
--- a/bin/heroku-php-nginx
+++ b/bin/heroku-php-nginx
@@ -45,7 +45,7 @@ Options:
                           Recommended approach when customizing Nginx's config
                           in most cases, unless you need to set http or
                           fundamental server level options.
-                          [default: $COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf]
+                          [default: $COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf.php]
   -c <nginx.conf>         The path to the full configuration file that is
                           included after Heroku's (or your local) Nginx config
                           is loaded. It must contain an 'http { ... }' block
@@ -153,7 +153,7 @@ php_config=${php_config:-"$HEROKU_APP_DIR/$COMPOSER_VENDOR_DIR/heroku/heroku-bui
 echo "Using PHP configuration (php.ini) file '${php_config#$HEROKU_APP_DIR/}'" >&2
 php_config=$(php_passthrough "$php_config")
 
-nginx_config_include=${nginx_config_include:-"$HEROKU_APP_DIR/$COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf"}
+nginx_config_include=${nginx_config_include:-"$HEROKU_APP_DIR/$COMPOSER_VENDOR_DIR/heroku/heroku-buildpack-php/conf/nginx/default_include.conf.php"}
 echo "Using Nginx server-level configuration include '${nginx_config_include#$HEROKU_APP_DIR/}'" >&2
 nginx_config_include=$(php_passthrough "$nginx_config_include")
 export HEROKU_PHP_NGINX_CONFIG_INCLUDE="$nginx_config_include"
diff --git a/conf/nginx/default_include.conf b/conf/nginx/default_include.conf
deleted file mode 100644
index e7a78a3bc..000000000
--- a/conf/nginx/default_include.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-location / {
-    index  index.php index.html index.htm;
-}
diff --git a/conf/nginx/default_include.conf.php b/conf/nginx/default_include.conf.php
new file mode 100644
index 000000000..23135a5e2
--- /dev/null
+++ b/conf/nginx/default_include.conf.php
@@ -0,0 +1,8 @@
+location / {
+    index  index.php index.html index.htm;
+}
+
+# for people with app root as doc root, restrict access to a few things
+location ~ ^/(composer\.|Procfile$|<?=getenv('COMPOSER_VENDOR_DIR')?>/|<?=getenv('COMPOSER_BIN_DIR')?>/) {
+    deny all;
+}
diff --git a/conf/nginx/heroku.conf.php b/conf/nginx/heroku.conf.php
index 2cbcfb84c..d541114c3 100644
--- a/conf/nginx/heroku.conf.php
+++ b/conf/nginx/heroku.conf.php
@@ -18,6 +18,7 @@
 
     fastcgi_buffers 256 4k;
 
+    # define an easy to reference name that can be used in fastgi_pass
     upstream heroku-fcgi {
         #server 127.0.0.1:4999 max_fails=3 fail_timeout=3s;
         server unix:/tmp/heroku.fcgi.<?=getenv('PORT')?:'8080'?>.sock max_fails=3 fail_timeout=3s;
@@ -34,11 +35,26 @@
         
         include <?=getenv('HEROKU_PHP_NGINX_CONFIG_INCLUDE')?>;
         
+        # restrict access to hidden files, just in case
+        location ~ /\. {
+            deny all;
+        }
+        
         # default handling of .php
         location ~ \.php {
-            try_files $uri =404;
             include fastcgi_params;
-            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            
+            fastcgi_split_path_info ^(.+\.php)(/.*)$;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            # try_files resets $fastcgi_path_info, see http://trac.nginx.org/nginx/ticket/321, so we use the if instead
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            
+            if (!-f $document_root$fastcgi_script_name) {
+                # check if the script exists
+                # otherwise, /foo.jpg/bar.php would get passed to FPM, which wouldn't run it as it's not in the list of allowed extensions, but this check is a good idea anyway, just in case
+                return 404;
+            }
+            
             fastcgi_pass heroku-fcgi;
         }
     }