diff --git a/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java b/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
index a2d36fa2..8fd771f5 100644
--- a/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
+++ b/BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
@@ -51,13 +51,11 @@ public class FileRequestHandler implements HttpRequestHandler {
     @Override
     public HttpResponse handle(HttpRequest request) {
         if (
-            !request.getMethod().equalsIgnoreCase("GET") &&
-            !request.getMethod().equalsIgnoreCase("POST")
-        ) return new HttpResponse(HttpStatusCode.NOT_IMPLEMENTED);
+            !request.getMethod().equalsIgnoreCase("GET")
+        ) return new HttpResponse(HttpStatusCode.BAD_REQUEST);
 
         HttpResponse response = generateResponse(request);
 
-
         return response;
     }
 
@@ -103,6 +101,11 @@ public class FileRequestHandler implements HttpRequestHandler {
             return new HttpResponse(HttpStatusCode.NOT_FOUND);
         }
 
+        // don't send php files
+        if (file.getName().endsWith(".php")) {
+            return new HttpResponse(HttpStatusCode.FORBIDDEN);
+        }
+
         // check if file is still in web-root and is not a directory
         if (!file.toPath().normalize().startsWith(webRoot) || file.isDirectory()){
             return new HttpResponse(HttpStatusCode.FORBIDDEN);