diff --git a/modules/services/nginx-conf.nix b/modules/services/nginx-conf.nix
index 7692c34..2a92d9a 100755
--- a/modules/services/nginx-conf.nix
+++ b/modules/services/nginx-conf.nix
@@ -107,6 +107,14 @@ in {
         ${realIpsFromList cfipv6}
         real_ip_header CF-Connecting-IP;
       '';
+
+      # prevent leaking domain through direct ip access or no host
+      # generally a good idea to keep this
+      virtualHosts."_"= {
+        default = true;
+        rejectSSL = true;
+        locations."/".return = 444;
+      };
     };
 
     networking.firewall.allowedTCPPorts = [ 443 80 ];