Stop "Passing Uncontrolled Requests to PHP"
Many example NGINX configurations for PHP on the web advocate passing every URI ending in .php to the PHP interpreter. Note that this presents a serious security issue on most PHP setups as it may allow arbitrary code execution by third parties.
The fix is (probably) to use try_files $uri =404; as mentioned in the link.
Ex: