Sometimes bots or other bad actors may request pages looking for exploits. For example, bots often target .php URLs in hopes of finding Wordpress exploits.

You can add a Caddy route to your application to match these requests and return a 404 response.

{
  "handle": [
    {
      "handler": "static_response",
      "status_code": "404",
      "body": ""
    }
  ],
  "match": [
    {
      "path": [
        "*.php"
      ]
    }
  ],
  "terminal": true
},

We recommend adding this as the first entry in your application's Caddy routes array.