diff --git a/admin_phpsettings.php b/admin_phpsettings.php
index 0fa1b831..f8dcc5ef 100644
--- a/admin_phpsettings.php
+++ b/admin_phpsettings.php
@@ -417,6 +417,7 @@ if ($page == 'overview') {
 				$max_spare_servers = isset($_POST['max_spare_servers']) ? (int) $_POST['max_spare_servers'] : 0;
 				$max_requests = isset($_POST['max_requests']) ? (int) $_POST['max_requests'] : 0;
 				$idle_timeout = isset($_POST['idle_timeout']) ? (int) $_POST['idle_timeout'] : 0;
+				$limit_extensions = validate($_POST['limit_extensions'], 'limit_extensions');
 				
 				if (strlen($description) == 0 || strlen($description) > 50) {
 					standard_error('descriptioninvalid');
@@ -433,7 +434,8 @@ if ($page == 'overview') {
 					`min_spare_servers` = :min_spare_servers,
 					`max_spare_servers` = :max_spare_servers,
 					`max_requests` = :max_requests,
-					`idle_timeout` = :idle_timeout
+					`idle_timeout` = :idle_timeout,
+					`limit_extensions` = :limit_extensions
 				");
 				$ins_data = array(
 					'desc' => $description,
@@ -445,7 +447,8 @@ if ($page == 'overview') {
 					'min_spare_servers' => $min_spare_servers,
 					'max_spare_servers' => $max_spare_servers,
 					'max_requests' => $max_requests,
-					'idle_timeout' => $idle_timeout
+					'idle_timeout' => $idle_timeout,
+					'limit_extensions' => $limit_extensions
 				);
 				Database::pexecute($ins_stmt, $ins_data);
 				
@@ -543,6 +546,7 @@ if ($page == 'overview') {
 				$max_spare_servers = isset($_POST['max_spare_servers']) ? (int) $_POST['max_spare_servers'] : $result['max_spare_servers'];
 				$max_requests = isset($_POST['max_requests']) ? (int) $_POST['max_requests'] : $result['max_requests'];
 				$idle_timeout = isset($_POST['idle_timeout']) ? (int) $_POST['idle_timeout'] : $result['idle_timeout'];
+				$limit_extensions = validate($_POST['limit_extensions'], 'limit_extensions');
 				
 				if (strlen($description) == 0 || strlen($description) > 50) {
 					standard_error('descriptioninvalid');
@@ -559,7 +563,8 @@ if ($page == 'overview') {
 					`min_spare_servers` = :min_spare_servers,
 					`max_spare_servers` = :max_spare_servers,
 					`max_requests` = :max_requests,
-					`idle_timeout` = :idle_timeout
+					`idle_timeout` = :idle_timeout,
+					`limit_extensions` = :limit_extensions
 					WHERE `id` = :id
 				");
 				$upd_data = array(
@@ -573,6 +578,7 @@ if ($page == 'overview') {
 					'max_spare_servers' => $max_spare_servers,
 					'max_requests' => $max_requests,
 					'idle_timeout' => $idle_timeout,
+					'limit_extensions' => $limit_extensions,
 					'id' => $id
 				);
 				Database::pexecute($upd_stmt, $upd_data);
diff --git a/install/froxlor.sql b/install/froxlor.sql
index f56d0a39..cbcae082 100644
--- a/install/froxlor.sql
+++ b/install/froxlor.sql
@@ -590,7 +590,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
 	('panel', 'password_special_char', '!?<>§$%+#=@'),
 	('panel', 'customer_hide_options', ''),
 	('panel', 'version', '0.9.38.8'),
-	('panel', 'db_version', '201801100');
+	('panel', 'db_version', '201801101');
 
 
 DROP TABLE IF EXISTS `panel_tasks`;
@@ -770,6 +770,7 @@ CREATE TABLE `panel_fpmdaemons` (
   `max_spare_servers` int(4) NOT NULL DEFAULT '35',
   `max_requests` int(4) NOT NULL DEFAULT '0',
   `idle_timeout` int(4) NOT NULL DEFAULT '30',
+  `limit_extensions` varchar(255) NOT NULL default '.php',
   PRIMARY KEY  (`id`),
   UNIQUE KEY `reload` (`reload_cmd`),
   UNIQUE KEY `config` (`config_dir`)
diff --git a/install/updates/froxlor/0.9/update_0.9.inc.php b/install/updates/froxlor/0.9/update_0.9.inc.php
index 48212f1d..9891df2b 100644
--- a/install/updates/froxlor/0.9/update_0.9.inc.php
+++ b/install/updates/froxlor/0.9/update_0.9.inc.php
@@ -3752,3 +3752,12 @@ if (isDatabaseVersion('201801091')) {
 
 	updateToDbVersion('201801100');
 }
+
+if (isDatabaseVersion('201801100')) {
+
+	showUpdateStep("Adding field for security.limit_extensions fpm-setting");
+	Database::query("ALTER TABLE `" . TABLE_PANEL_FPMDAEMONS . "` ADD `limit_extensions` varchar(255) NOT NULL default '.php';");
+	lastStepStatus(0);
+
+	updateToDbVersion('201801101');
+}
diff --git a/lib/classes/phpinterface/class.phpinterface_fpm.php b/lib/classes/phpinterface/class.phpinterface_fpm.php
index 2622b090..0509666a 100644
--- a/lib/classes/phpinterface/class.phpinterface_fpm.php
+++ b/lib/classes/phpinterface/class.phpinterface_fpm.php
@@ -192,6 +192,7 @@ class phpinterface_fpm
 			$fpm_max_spare_servers = (int) $this->_fpm_cfg['max_spare_servers'];
 			$fpm_requests = (int) $this->_fpm_cfg['max_requests'];
 			$fpm_process_idle_timeout = (int) $this->_fpm_cfg['idle_timeout'];
+			$fpm_limit_extensions = $this->_fpm_cfg['limit_extensions'];
 			
 			if ($fpm_children == 0) {
 				$fpm_children = 1;
@@ -255,6 +256,7 @@ class phpinterface_fpm
 			}
 			
 			$fpm_config .= ';chroot = ' . makeCorrectDir($this->_domain['documentroot']) . "\n";
+			$fpm_config .= 'security.limit_extensions = '.$fpm_limit_extensions . "\n";
 			
 			$tmpdir = makeCorrectDir(Settings::Get('phpfpm.tmpdir') . '/' . $this->_domain['loginname'] . '/');
 			if (! is_dir($tmpdir)) {
diff --git a/lib/formfields/admin/phpconfig/formfield.fpmconfig_add.php b/lib/formfields/admin/phpconfig/formfield.fpmconfig_add.php
index 88a1bb8b..a8d91d86 100644
--- a/lib/formfields/admin/phpconfig/formfield.fpmconfig_add.php
+++ b/lib/formfields/admin/phpconfig/formfield.fpmconfig_add.php
@@ -81,6 +81,15 @@ return array(
 						'desc' => $lng['serversettings']['phpfpm_settings']['idle_timeout']['description'],
 						'type' => 'int',
 						'value' => 30
+					),
+					'limit_extensions' => array(
+						'label' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['title'],
+						'desc' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['description'],
+						'type' => 'string',
+						'string_delimiter' => ' ',
+						'string_regexp' => '^\.[a-z]([a-z0-9]+)',
+						'string_emptyallowed' => false,
+						'value' => '.php'
 					)
 				)
 			)
diff --git a/lib/formfields/admin/phpconfig/formfield.fpmconfig_edit.php b/lib/formfields/admin/phpconfig/formfield.fpmconfig_edit.php
index d5e8c17f..6b8199e3 100644
--- a/lib/formfields/admin/phpconfig/formfield.fpmconfig_edit.php
+++ b/lib/formfields/admin/phpconfig/formfield.fpmconfig_edit.php
@@ -82,6 +82,15 @@ return array(
 						'desc' => $lng['serversettings']['phpfpm_settings']['idle_timeout']['description'],
 						'type' => 'int',
 						'value' => $result['idle_timeout']
+					),
+					'limit_extensions' => array(
+						'label' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['title'],
+						'desc' => $lng['serversettings']['phpfpm_settings']['limit_extensions']['description'],
+						'type' => 'string',
+						'string_delimiter' => ' ',
+						'string_regexp' => '^\.[a-z]([a-z0-9]+)',
+						'string_emptyallowed' => false,
+						'value' => $result['limit_extensions']
 					)
 				)
 			)
diff --git a/lib/version.inc.php b/lib/version.inc.php
index fb8d88d3..ac4adb0f 100644
--- a/lib/version.inc.php
+++ b/lib/version.inc.php
@@ -19,7 +19,7 @@
 $version = '0.9.38.8';
 
 // Database version (YYYYMMDDC where C is a daily counter)
-$dbversion = '201801100';
+$dbversion = '201801101';
 
 // Distribution branding-tag (used for Debian etc.)
 $branding = '';
diff --git a/lng/english.lng.php b/lng/english.lng.php
index 0893cdb6..0830a2ef 100644
--- a/lng/english.lng.php
+++ b/lng/english.lng.php
@@ -2094,3 +2094,5 @@ $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt can only validate
 $lng['admin']['phpsettings']['pass_authorizationheader'] = 'Add "-pass-header Authorization" / "CGIPassAuth On" to vhosts';
 $lng['serversettings']['ssl']['ssl_protocols']['title'] = 'Configure the TLS protocol version';
 $lng['serversettings']['ssl']['ssl_protocols']['description'] = 'This is a list of ssl protocols that you want (or don\'t want) to use when using SSL. <b>Notice:</b> Some older browsers may not support the newest protcol versions.<br /><br /><b>Default value is:</b><pre>TLSv1, TLSv1.2</pre>';
+$lng['serversettings']['phpfpm_settings']['limit_extensions']['title'] = 'Allowed extensions';
+$lng['serversettings']['phpfpm_settings']['limit_extensions']['description'] = 'Limits the extensions of the main script FPM will allow to parse. This can prevent configuration mistakes on the web server side. You should only limit FPM to .php extensions to prevent malicious users to use other extensions to execute php code. Default value: .php';
diff --git a/lng/german.lng.php b/lng/german.lng.php
index 830bb1c3..160ebb9a 100644
--- a/lng/german.lng.php
+++ b/lng/german.lng.php
@@ -1745,3 +1745,5 @@ $lng['error']['nowildcardwithletsencryptv2'] = 'Let\'s Encrypt kann in ACME v2 W
 $lng['admin']['phpsettings']['pass_authorizationheader'] = 'Füge "-pass-header Authorization" / "CGIPassAuth On" in Vhosts ein';
 $lng['serversettings']['ssl']['ssl_protocols']['title'] = 'SSL Protokollversion festlegen';
 $lng['serversettings']['ssl']['ssl_protocols']['description'] = 'Dies ist eine Liste von SSL/TLS Protokollversionen die genutzt werden sollen (oder auch nicht genutzt werden sollen), wenn SSL verwendet wird. <b>Hinweis:</b> Ältere Browser sind möglicherweise nicht vollständig zum neusten Protokoll kompatibel.<br /><br /><b>Standard-Wert ist:</b><pre>TLSv1, TLSv1.2</pre>';
+$lng['serversettings']['phpfpm_settings']['limit_extensions']['title'] = 'Erlaubte Dateiendungen';
+$lng['serversettings']['phpfpm_settings']['limit_extensions']['description'] = 'Beschränkt die Dateierweiterungen des Haupt-Skripts, das FPM zu parsen erlaubt. Dies kann Konfigurationsfehler auf der Webserverseite verhindern. Sie sollten FPM nur auf .php Erweiterungen beschränken, um zu verhindern, dass bösartige Nutzter andere Erweiterungen verwenden, um PHP Code auszuführen. Standardwert: .php';
diff --git a/scripts/jobs/cron_tasks.inc.http.10.apache.php b/scripts/jobs/cron_tasks.inc.http.10.apache.php
index 46fe68d3..ce6bc072 100644
--- a/scripts/jobs/cron_tasks.inc.http.10.apache.php
+++ b/scripts/jobs/cron_tasks.inc.http.10.apache.php
@@ -327,7 +327,15 @@ class apache extends HttpConfigBase
 						
 						// mod_proxy stuff for apache-2.4
 						if (Settings::Get('system.apache24') == '1' && Settings::Get('phpfpm.use_mod_proxy') == '1') {
-							$this->virtualhosts_data[$vhosts_filename] .= '  <FilesMatch \.php$>' . "\n";
+							$filesmatch = $phpconfig['limit_extensions'];
+							$extensions = explode(" ", $filesmatch);
+							$filesmatch = "";
+							foreach ($extensions as $ext) {
+								$filesmatch .= $ext.'|';
+							}
+							// start block, cut off last pipe and close block
+							$filesmatch = '('.substr($filesmatch, -1).')';
+							$this->virtualhosts_data[$vhosts_filename] .= '  <FilesMatch \.'.$filesmatch.'$>'. "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  SetHandler proxy:unix:' . $php->getInterface()->getSocketFile() . '|fcgi://localhost' . "\n";
 							$this->virtualhosts_data[$vhosts_filename] .= '  </FilesMatch>' . "\n";
 							if ($phpconfig['pass_authorizationheader'] == '1') {
diff --git a/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php b/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
index fcd16533..85e5ae64 100644
--- a/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
+++ b/scripts/jobs/cron_tasks.inc.http.15.apache_fcgid.php
@@ -44,7 +44,15 @@ class apache_fcgid extends apache
 				if (Settings::Get('system.apache24') == '1'
 					&& Settings::Get('phpfpm.use_mod_proxy') == '1'
 				) {
-					$php_options_text.= '  <FilesMatch \.php$>'. "\n";
+					$filesmatch = $phpconfig['limit_extensions'];
+					$extensions = explode(" ", $filesmatch);
+					$filesmatch = "";
+					foreach ($extensions as $ext) {
+						$filesmatch .= $ext.'|';
+					}
+					// start block, cut off last pipe and close block
+					$filesmatch = '('.substr($filesmatch, -1).')';
+					$php_options_text.= '  <FilesMatch \.'.$filesmatch.'$>'. "\n";
 					$php_options_text.= '  SetHandler proxy:unix:' . $php->getInterface()->getSocketFile()  . '|fcgi://localhost'. "\n";
 					$php_options_text.= '  </FilesMatch>' . "\n";