// track and trace verbs can leak data in XSS attacks
disallowed-methods( methods={trace,track} )
// Common config files and sensitive paths that should never be accessed, even on development
regex( pattern='.*/(box.json|server.json|web.config|urlrewrite.xml|package.json|package-lock.json|Gulpfile.js)', case-sensitive=false ) -> set-error(404)
// Any file or folder starting with a period
regex('/\.')-> set-error( 404 )
// Additional serlvlet mappings in Adobe CF's web.xml
path-prefix( { '/JSDebugServlet','/securityanalyzer','/WSRPProducer' } ) -> set-error( 404 )
// java web service (Axis) files
regex( pattern='\.jws#x27;, case-sensitive=false ) -> set-error( 404 )