diff --git a/nginx.conf.sample b/nginx.conf.sample
index 90604808f6ec0..80cc88431eff8 100644
--- a/nginx.conf.sample
+++ b/nginx.conf.sample
@@ -159,6 +159,11 @@ location /media/downloadable/ {
 location /media/import/ {
     deny all;
 }
+location /errors/ {
+    location ~* \.xml$ {
+        deny all;
+    }
+}
 
 # PHP entry point for main application
 location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
@@ -198,6 +203,6 @@ gzip_types
 gzip_vary on;
 
 # Banned locations (only reached if the earlier PHP entry point regexes don't match)
-location ~* (\.php$|\.htaccess$|\.git) {
+location ~* (\.php$|\.phtml$|\.htaccess$|\.git) {
     deny all;
 }
diff --git a/pub/errors/.htaccess b/pub/errors/.htaccess
index 3692dd439e2ff..a7b9cbda05893 100644
--- a/pub/errors/.htaccess
+++ b/pub/errors/.htaccess
@@ -1,4 +1,7 @@
 Options None
+<FilesMatch "\.(xml|phtml)$">
+    Deny from all
+</FilesMatch>
 <IfModule mod_rewrite.c>
     RewriteEngine Off
 </IfModule>