diff --git a/roles/drupal/defaults/main.yml b/roles/drupal/defaults/main.yml
index deced50..4c0f154 100644
--- a/roles/drupal/defaults/main.yml
+++ b/roles/drupal/defaults/main.yml
@@ -53,12 +53,12 @@ drupal_write_permissions:
   - /htdocs/sites/all/translations
 
 # nginx
-drupal_with_hotlink_protection: false
 
 # see https://github.com/wodby/nginx/blob/master/templates/presets/drupal8.conf.tmpl
 # see https://github.com/wodby/nginx/blob/master/templates/presets/drupal10.conf.tmpl
-drupal_nginx_static_files: "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp"
+drupal_nginx_files_static: "css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp"
 drupal_nginx_not_found_regex: "\\.(engine|md|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\\.php)?|xtmpl|yml|yaml)(~|\\.sw[op]|\\.bak|\\.orig|\\.save)?$|^(\\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template)$|(web\\.config|composer\\.(json|lock)|(package|package-lock)\\.json|yarn\\.lock)$|^#.*#$|\\.php(~|\\.sw[op]|\\.bak|\\.orig|\\.save)$"
+drupal_nginx_files_dir_static: 'txt'
 
 # instance wide usage (for /etc/nginx/drupal.conf)
 drupal_multilanguage: []
diff --git a/roles/drupal/templates/etc/nginx/sites-available/drupal.j2 b/roles/drupal/templates/etc/nginx/sites-available/drupal.j2
index b4ea6fa..00e3d66 100644
--- a/roles/drupal/templates/etc/nginx/sites-available/drupal.j2
+++ b/roles/drupal/templates/etc/nginx/sites-available/drupal.j2
@@ -54,18 +54,26 @@ server {
 {% endfor %}
 {% endif %}
 
-  # Drupal 7 or higher generated image handling, i.e., imagecache in core. See:
-  # https://drupal.org/node/371374.
+  # Drupal 7 or higher generated image handling, i.e., imagecache in core.
+  # @see https://drupal.org/node/371374.
   location ~* /files/(css|js|styles)/ {
-{% if drupal_with_hotlink_protection %}
-    # Image hotlinking protection. If you want hotlinking
-    # protection for your images uncomment the following line.
-    include hotlinking_protection.conf;
-{% endif %}
     expires 1y;
     try_files $uri @drupal;
   }
 
+  location ~* /sites/.+/files/.+\.(?:{{ drupal_nginx_files_dir_static }}) {
+    expires 1y;
+
+    # No need to bleed constant updates. Send the all shebang in one fell swoop.
+    tcp_nodelay off;
+
+    # Set the OS file cache.
+    open_file_cache max=1000 inactive=30s;
+    open_file_cache_valid 30s;
+    open_file_cache_min_uses 2;
+    open_file_cache_errors off;
+  }
+
   location ~* /sites/.+/files/optimized/(css|js)/ {
     expires max;
     add_header ETag '';
@@ -83,17 +91,23 @@ server {
     }
   }
 
+  location ~* /admin/reports/hacked/.+/diff/ {
+    try_files $uri @drupal;
+  }
+
   # Replica of regex from Drupals core .htaccess.
   location ~* {{ drupal_nginx_not_found_regex }} {
       return 404;
   }
 
   # All static files will be served directly.
-  location ~* ^.+\.(?:{{ drupal_nginx_static_files }})$ {
+  location ~* ^.+\.(?:{{ drupal_nginx_files_static }})$ {
     access_log off;
     expires 30d;
+
     # No need to bleed constant updates. Send the all shebang in one fell swoop.
     tcp_nodelay off;
+
     # Set the OS file cache.
     open_file_cache max=3000 inactive=120s;
     open_file_cache_valid 45s;