Nginx: block access to extensionless LICENSE files

The Drupal Nginx recipe doesn’t block access to extensionless files (such as files named “LICENSE”), and it also allows access to LICENSE.md and other files that can be checked to see what modules are in use on a Drupal site.

As an example, if I have a running Drupal site and in my browser go to mydrupalsite.example.com/modules/contrib/ckeditor/vendor/LICENSE.md, and a file is downloaded, I know that the CKEdtior 4 contrib module is used. By checking files of popular modules like this, and checking the content of the files, someone could try to figure out specific versions of modules on Drupal sites, looking for vulnerable versions.

The best solution is to keep everything up-to-date, of course. Still, I’m wondering if the Drupal Nginx recipe can be improved to mitigate this method of finding what modules and dependencies are used, without blocking access to markdown files that have been uploaded to the site, as I want to support that.

Specifically, I want to block access to extensionless files altogether, as well as markdown files that come with the installed modules/dependencies and weren’t uploaded by users.