diff --git a/roles/archwiki/templates/nginx.d.conf.j2 b/roles/archwiki/templates/nginx.d.conf.j2
index 102383aa208a88d20d1963f5fdcdc2591963aa91..5a908d5af2a81ad869df624578044c7d25160676 100644
--- a/roles/archwiki/templates/nginx.d.conf.j2
+++ b/roles/archwiki/templates/nginx.d.conf.j2
@@ -122,12 +122,16 @@ server {
         limit_req zone=archwikilimit burst=10 nodelay;
     }
 
-    # whitelist known OK directories
-    location ~ ^/(?:skins|resources|images|extensions/ArchLinux/modules|extensions/WikiEditor/modules/images/toolbar|extensions/CodeMirror/resources/mode/mediawiki/img)/ {
+    # MediaWiki assets
+    location ~ ^/(?:images|resources/(?:assets|lib|src)|(?:skins|extensions)/.+\.(?:css|js|gif|jpg|jpeg|png|svg|wasm)$) {
         expires 30d;
         add_header Pragma public;
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
+    location /images/deleted {
+        # Deny access to deleted images folder
+        deny all;
+    }
 
     # block all other directories
     location ~ ^/[^/]+/ {